CVE-2026-30947 HIGH

CVE-2026-30947: Parse Server ha a bypass of class-level permissions in LiveQuery

Vendor Parse-Community

Product parse-server

Weakness CWE-863 · Incorrect authorization

Published March 10, 2026

Last update March 11, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

March 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-30947

Related vulnerabilities

Identifiers

CVE CVE-2026-30947

CWE CWE-863

CVSS 8.7 / HIGH

Affected versions

Vendor Parse-Community

Product parse-server

Affected >= 9.0.0 < 9.5.2-alpha.3

Vendor Parse-Community

Product parse-server

Affected < 8.6.16

CVE-2026-30947: Parse Server ha a bypass of class-level permissions in LiveQuery

01Description

02Disclosure timeline

03References

04Related CVE