CVE-2026-30947
Received Received - Intake
Unauthorized LiveQuery Access in Parse Server Due to CLP Bypass

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30947
EUVD
EUVD-2026-10864
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16, where class-level permissions (CLP) are not enforced for LiveQuery subscriptions.

An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions.

This means that data intended to be restricted by CLP is leaked to unauthorized subscribers in real time.

The issue is fixed in versions 9.5.2-alpha.3 and 8.6.16 of Parse Server.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized data exposure because unauthorized or unauthenticated clients can receive real-time updates for all objects in LiveQuery-enabled classes.

As a result, sensitive or restricted data that should be protected by class-level permissions can be leaked to attackers or unauthorized users.

This can compromise the confidentiality of your data and potentially lead to further security issues depending on the nature of the leaked information.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.3 or later, or 8.6.16 or later, where the class-level permissions enforcement for LiveQuery subscriptions is fixed.

Until the upgrade is applied, consider disabling LiveQuery subscriptions if possible, or restricting access to trusted clients only, to prevent unauthorized subscription to LiveQuery-enabled classes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart