CVE-2026-33163 in parse-server
Summary
by MITRE • 03/19/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers. The vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix in versions 9.6.0-alpha.35 and 8.6.50 ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. As a workaround, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability CVE-2026-33163 affects Parse Server versions prior to 9.6.0-alpha.35 and 8.6.50, representing a critical information disclosure flaw that undermines the security of user data within LiveQuery implementations. This issue specifically targets the LiveQuery server functionality that enables real-time updates for Parse applications, where registered triggers can inadvertently expose sensitive user information to unauthorized subscribers. The vulnerability stems from a reference detachment bug that occurs when Parse.Cloud.afterLiveQueryEvent triggers are configured for specific classes, creating a scenario where protected fields and authData are transmitted to all subscribers regardless of their permissions or the intended security boundaries.
The technical flaw manifests through a critical error in data handling within the LiveQuery server's event processing pipeline. When an afterLiveQueryEvent trigger is registered, the system converts the event object into a Parse.Object for trigger execution, subsequently generating a JSON copy using toJSONwithObjects(). The vulnerability arises because the sensitive data filtering mechanism is applied to the original Parse.Object reference rather than the JSON copy that gets transmitted to clients. This architectural oversight creates a scenario where the filtering logic operates on an outdated reference, allowing protected field data to persist in the final payload sent to subscribers. The affected data includes fields configured as protected via Class-Level Permissions (CLP) and authData containing sensitive personal information and OAuth tokens from third-party authentication providers.
The operational impact of this vulnerability extends beyond simple data exposure, creating a significant attack surface for malicious actors who can leverage legitimate subscription permissions to access sensitive user data. Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, potentially compromising user privacy and security. The vulnerability affects all event types within LiveQuery operations including create, update, delete, enter, and leave events, making it particularly dangerous as it can expose data across all possible user interactions with the affected classes. This flaw represents a direct violation of the principle of least privilege and data separation that should be maintained in any secure backend system.
The security implications of this vulnerability align with CWE-200 (Information Exposure) and can be mapped to ATT&CK technique T1567.002 (Exfiltration Over Web Service) as attackers could potentially harvest sensitive data through legitimate subscription channels. The vulnerability demonstrates a classic case of improper data sanitization where filtering operations are applied inconsistently across different data representations within the same processing pipeline. Organizations using Parse Server versions prior to the patched releases face significant risk of data breaches, particularly in environments where user authentication data and personal information are stored in protected fields. The exposure of OAuth tokens and authentication data could enable attackers to escalate privileges and gain unauthorized access to user accounts across multiple systems.
The fix implemented in versions 9.6.0-alpha.35 and 8.6.50 addresses the root cause by ensuring that the JSON copy is assigned back to the response object before filtering operations occur. This change guarantees that the filtering mechanism operates on the actual data that will be transmitted to clients, eliminating the reference detachment issue that previously allowed sensitive information to leak. The mitigation strategy requires administrators to upgrade to the patched versions or implement the recommended workaround of removing all Parse.Cloud.afterLiveQueryEvent trigger registrations. This workaround effectively prevents the problematic code path from executing, ensuring that protected fields are correctly filtered during LiveQuery event transmission. Organizations should conduct thorough security assessments to identify any existing afterLiveQueryEvent triggers and ensure proper patching or remediation occurs across all affected Parse Server deployments.