CVE-2026-33429
Parse Server: Protected field change detection oracle via LiveQuery watch parameter
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
14th
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.
| CWE | CWE-203 |
| Vendor | parse-community |
| Product | parse-server |
| Published | Mar 24, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for parse-community parse-server
Be the first to know when new unknown vulnerabilities affecting parse-community parse-server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
parse-community / parse-server
< 8.6.54 >= 9.0.0, < 9.6.0-alpha.43
References
github.com: https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm github.com: https://github.com/parse-community/parse-server/pull/10253 github.com: https://github.com/parse-community/parse-server/pull/10254 github.com: https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b github.com: https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67