CVE-2026-32098
Boolean Oracle Vulnerability in Parse Server LiveQuery Exposes Protected Fields
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | to 8.6.35 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32098 is a security vulnerability in Parse Server that allows an attacker to infer the values of protected fields without directly accessing them. This happens through the LiveQuery feature, where an attacker can create a subscription with a WHERE clause referencing protected fields, including nested fields or using operators like $regex. By observing whether LiveQuery events are triggered for matching objects, the attacker gains a boolean oracle that leaks information about these protected fields.
The vulnerability affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. The root cause is that LiveQuery subscriptions did not validate the WHERE clause against protected fields, unlike the REST API. This flaw was fixed in Parse Server versions 9.6.0-alpha.9 and 8.6.35 by enforcing validation that rejects subscriptions referencing protected fields.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information by leaking the values of protected fields. Attackers can exploit the LiveQuery subscription mechanism to infer confidential data without having direct access to it.
The impact is primarily on confidentiality, as attackers can gain information they should not have access to. The vulnerability does not affect data integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker exploiting LiveQuery subscriptions with WHERE clauses referencing protected fields to infer sensitive data. Detection would involve monitoring LiveQuery subscription requests that include WHERE clauses targeting protected fields, especially those using dot-notation or operators like $regex, $or, $and, or $nor.
Since the vulnerability is related to the content of LiveQuery subscription queries, detection can focus on analyzing LiveQuery subscription traffic or logs for suspicious WHERE clauses referencing protected fields.
There are no specific commands provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade your parse-server to version 9.6.0-alpha.9 or later, or to version 8.6.35 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, consider disabling LiveQuery for classes that have protectedFields configured, or remove protectedFields from classes that require LiveQuery, as a temporary workaround.
The fix enforces validation of LiveQuery subscription WHERE clauses to reject any referencing protected fields, preventing unauthorized data exposure.