CVE-2026-32098 MEDIUM

CVE-2026-32098: Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Vendor Parse-Community
Product parse-server
Weakness CWE-200 · Info exposure
Published March 11, 2026
Last update March 12, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2018-15446 Cisco Meeting Server Information Disclosure Vulnerability CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint CVE-2024-34004 moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup CVE-2022-31032 Resources of private projects can be exposed in Tuleap CVE-2023-45189 IBM Robotic Process Automation information disclosure