Parse Server ha a bypass of class-level permissions in LiveQuery
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.0.0, < 9.5.2-alpha.3 | 9.5.2-alpha.3 |
parse-servernpm | < 8.6.16 | 8.6.16 |
Affected products
1- Range: >= 9.0.0 < 9.5.2-alpha.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7ch5-98q2-7289ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30947ghsaADVISORY
- github.com/parse-community/parse-server/releases/tag/8.6.16ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.