Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.53 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f99902Patch
- https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35efPatch
- https://github.com/parse-community/parse-server/pull/10250Issue Tracking
- https://github.com/parse-community/parse-server/pull/10252Issue Tracking
- https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4Vendor Advisory
FAQ
What is CVE-2026-33421?
CVE-2026-33421 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does n...
How severe is CVE-2026-33421?
CVE-2026-33421 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33421?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.