CVE-2026-33429
Received Received - Intake
Information Disclosure via LiveQuery Watch Parameter in Parse Server

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-25
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33429
Affected Vendors & Products
Showing 44 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server to 8.6.54 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Parse Server versions prior to 8.6.54 and 9.6.0-alpha.43. An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the actual value of the protected field is not exposed in event payloads, the attacker can observe the presence or absence of update events to determine whether the protected field has changed. This creates a binary oracle that leaks information about the protected field's state. For boolean protected fields, the timing of these change events effectively reveals the field's value.


How can this vulnerability impact me? :

The vulnerability can lead to information disclosure by allowing an attacker to infer changes to protected fields that should remain confidential. This leakage can compromise the privacy of sensitive data, especially boolean protected fields, by revealing their values through timing analysis of update events.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring LiveQuery subscription requests that include the "watch" parameter targeting protected fields or their nested properties. Specifically, look for subscription attempts that try to watch fields marked as protected, such as "secretObj" or nested keys like "secretObj.apiKey".'}, {'type': 'paragraph', 'content': 'To detect such attempts, you can inspect your Parse Server logs or network traffic for LiveQuery subscription requests containing the "watch" parameter with protected field names.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious LiveQuery subscriptions might include:'}, {'type': 'list_item', 'content': "Using grep on server logs to find subscriptions watching protected fields: grep -i 'watch.*secretObj' parse-server.log"}, {'type': 'list_item', 'content': 'Using network traffic capture tools (e.g., tcpdump or Wireshark) to filter WebSocket messages containing the watch parameter with protected fields.'}, {'type': 'list_item', 'content': 'Implement server-side logging or middleware to log and alert on LiveQuery subscription requests that include protected fields in the watch parameter.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade your Parse Server to version 8.6.54 or later, or 9.6.0-alpha.43 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch enforces explicit checks on the LiveQuery "watch" parameter, rejecting subscription requests that attempt to watch protected fields or their nested properties unless the client has master key privileges.'}, {'type': 'paragraph', 'content': 'Until you can upgrade, consider restricting LiveQuery access or disabling LiveQuery subscriptions that include the watch parameter for protected fields, and monitor for suspicious subscription attempts.'}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart