CVE-2026-33429

Received Received - Intake

Information Disclosure via LiveQuery Watch Parameter in Parse Server

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-24

Last Modified

2026-03-25

Generated

2026-06-16

AI Q&A

2026-03-24

EPSS Evaluated

2026-06-15

NVD

CVE-2026-33429

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	to 8.6.54 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-203	The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

Executive Summary

This vulnerability affects Parse Server versions prior to 8.6.54 and 9.6.0-alpha.43. An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the actual value of the protected field is not exposed in event payloads, the attacker can observe the presence or absence of update events to determine whether the protected field has changed. This creates a binary oracle that leaks information about the protected field's state. For boolean protected fields, the timing of these change events effectively reveals the field's value.

Impact Analysis

The vulnerability can lead to information disclosure by allowing an attacker to infer changes to protected fields that should remain confidential. This leakage can compromise the privacy of sensitive data, especially boolean protected fields, by revealing their values through timing analysis of update events.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring LiveQuery subscription requests that include the "watch" parameter targeting protected fields or their nested properties. Specifically, look for subscription attempts that try to watch fields marked as protected, such as "secretObj" or nested keys like "secretObj.apiKey".'}, {'type': 'paragraph', 'content': 'To detect such attempts, you can inspect your Parse Server logs or network traffic for LiveQuery subscription requests containing the "watch" parameter with protected field names.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious LiveQuery subscriptions might include:'}, {'type': 'list_item', 'content': "Using grep on server logs to find subscriptions watching protected fields: grep -i 'watch.*secretObj' parse-server.log"}, {'type': 'list_item', 'content': 'Using network traffic capture tools (e.g., tcpdump or Wireshark) to filter WebSocket messages containing the watch parameter with protected fields.'}, {'type': 'list_item', 'content': 'Implement server-side logging or middleware to log and alert on LiveQuery subscription requests that include protected fields in the watch parameter.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade your Parse Server to version 8.6.54 or later, or 9.6.0-alpha.43 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch enforces explicit checks on the LiveQuery "watch" parameter, rejecting subscription requests that attempt to watch protected fields or their nested properties unless the client has master key privileges.'}, {'type': 'paragraph', 'content': 'Until you can upgrade, consider restricting LiveQuery access or disabling LiveQuery subscriptions that include the watch parameter for protected fields, and monitor for suspicious subscription attempts.'}] [1]

Hi! I’m here to help you understand CVE-2026-33429. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-33429

Information Disclosure via LiveQuery Watch Parameter in Parse Server

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart