CVE-2026-32098
Received Received - Intake
Boolean Oracle Vulnerability in Parse Server LiveQuery Exposes Protected Fields

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32098
EUVD
EUVD-2026-11340
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server to 8.6.35 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32098 is a security vulnerability in Parse Server that allows an attacker to infer the values of protected fields without directly accessing them. This happens through the LiveQuery feature, where an attacker can create a subscription with a WHERE clause referencing protected fields, including nested fields or using operators like $regex. By observing whether LiveQuery events are triggered for matching objects, the attacker gains a boolean oracle that leaks information about these protected fields.

The vulnerability affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. The root cause is that LiveQuery subscriptions did not validate the WHERE clause against protected fields, unlike the REST API. This flaw was fixed in Parse Server versions 9.6.0-alpha.9 and 8.6.35 by enforcing validation that rejects subscriptions referencing protected fields.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information by leaking the values of protected fields. Attackers can exploit the LiveQuery subscription mechanism to infer confidential data without having direct access to it.

The impact is primarily on confidentiality, as attackers can gain information they should not have access to. The vulnerability does not affect data integrity or availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves an attacker exploiting LiveQuery subscriptions with WHERE clauses referencing protected fields to infer sensitive data. Detection would involve monitoring LiveQuery subscription requests that include WHERE clauses targeting protected fields, especially those using dot-notation or operators like $regex, $or, $and, or $nor.

Since the vulnerability is related to the content of LiveQuery subscription queries, detection can focus on analyzing LiveQuery subscription traffic or logs for suspicious WHERE clauses referencing protected fields.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

To mitigate this vulnerability, upgrade your parse-server to version 9.6.0-alpha.9 or later, or to version 8.6.35 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, consider disabling LiveQuery for classes that have protectedFields configured, or remove protectedFields from classes that require LiveQuery, as a temporary workaround.

The fix enforces validation of LiveQuery subscription WHERE clauses to reject any referencing protected fields, preventing unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart