CVE-2026-30947
Received Received - Intake
Unauthorized LiveQuery Access in Parse Server Due to CLP Bypass

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30947
EUVD
EUVD-2026-10864
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16, where class-level permissions (CLP) are not enforced for LiveQuery subscriptions.

An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions.

This means that data intended to be restricted by CLP is leaked to unauthorized subscribers in real time.

The issue is fixed in versions 9.5.2-alpha.3 and 8.6.16 of Parse Server.

Impact Analysis

This vulnerability can lead to unauthorized data exposure because unauthorized or unauthenticated clients can receive real-time updates for all objects in LiveQuery-enabled classes.

As a result, sensitive or restricted data that should be protected by class-level permissions can be leaked to attackers or unauthorized users.

This can compromise the confidentiality of your data and potentially lead to further security issues depending on the nature of the leaked information.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.3 or later, or 8.6.16 or later, where the class-level permissions enforcement for LiveQuery subscriptions is fixed.

Until the upgrade is applied, consider disabling LiveQuery subscriptions if possible, or restricting access to trusted clients only, to prevent unauthorized subscription to LiveQuery-enabled classes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart