CVE-2026-33429 in parse-server
Summary
by MITRE • 03/24/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-33429 affects Parse Server, a popular open-source backend framework designed for Node.js environments. This security flaw exists in versions prior to 8.6.54 and 9.6.0-alpha.43, representing a significant concern for organizations relying on Parse Server for their backend infrastructure. The vulnerability stems from improper handling of protected field access within the LiveQuery subscription mechanism, creating an information disclosure risk that can be exploited by malicious actors to infer sensitive data through indirect means.
The technical implementation of this vulnerability occurs within the LiveQuery functionality of Parse Server where attackers can subscribe to watch parameters targeting protected fields. While the system correctly strips protected field values from event payloads, it fails to properly mask the presence or absence of update events that would otherwise reveal whether these protected fields have changed. This creates a binary oracle attack vector where the mere existence of an event notification indicates whether the protected field value has been modified, effectively leaking information about the field's state.
The operational impact of this vulnerability extends beyond simple information disclosure, particularly for boolean protected fields where the timing of change events provides direct knowledge of the field's value. This timing-based leakage creates a sophisticated attack pattern where adversaries can determine the current state of boolean fields through careful observation of event patterns, effectively bypassing normal access controls and data protection mechanisms. The vulnerability demonstrates a classic case of side-channel information leakage that can be exploited to reconstruct sensitive data without direct access to protected fields.
Organizations utilizing Parse Server must implement immediate mitigations including upgrading to versions 8.6.54 or 9.6.0-alpha.43, which contain the necessary patches to address this vulnerability. Additionally, administrators should review their LiveQuery subscription configurations and implement proper access controls to limit the exposure of protected fields. The vulnerability aligns with CWE-200 (Information Exposure) and represents a specific implementation weakness in access control mechanisms, potentially mapping to ATT&CK technique T1213.002 (Data from Information Repositories) through the indirect extraction of protected field values.
Security teams should conduct comprehensive audits of their Parse Server implementations to identify any potential exposure through LiveQuery subscriptions and ensure that all protected fields are properly configured to prevent such information leakage scenarios. The fix implemented in the patched versions addresses the core issue by ensuring that event notifications properly mask all changes to protected fields, preventing the binary oracle attack pattern that previously enabled adversaries to infer sensitive information through event timing and presence analysis.