CVE-2026-34363
Insecure Data Handling in Parse Server LiveQuery Causes Data Leakage
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | From 9.0.0 (inc) to 9.7.0 (exc) |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | to 8.6.65 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34363 causes unauthorized leakage of protected fields and authentication data between concurrent LiveQuery subscribers in Parse Server. This unauthorized data exposure can lead to sensitive personal or protected information being accessed by clients without proper authorization.
Such leakage of sensitive data can violate data protection principles required by common standards and regulations like GDPR and HIPAA, which mandate strict controls on access to personal and protected health information to ensure confidentiality and privacy.
Therefore, deployments of Parse Server using LiveQuery with protected fields or afterEvent triggers prior to the patched versions are at risk of non-compliance due to potential unauthorized disclosure of sensitive data.
The patch fixes this issue by isolating event payloads per subscriber, preventing data leaks and helping maintain compliance with data protection regulations by ensuring that sensitive fields are only visible to authorized clients.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from a race condition in the Parse Server LiveQuery feature when multiple clients concurrently subscribe to the same class, causing protected fields or authentication data to leak due to shared mutable state. Detection involves monitoring LiveQuery subscriptions and event payloads for unauthorized exposure of protected fields or incomplete data delivery.
Since the vulnerability is related to concurrent LiveQuery subscriptions and improper filtering of protected fields, detection can be approached by observing LiveQuery traffic for unexpected data leaks or inconsistencies.
Specific commands or tools are not provided in the available resources. However, general detection steps could include:
- Capture and analyze network traffic to and from the Parse Server LiveQuery endpoint, looking for event payloads containing protected fields that should not be visible to certain clients.
- Use logging or debugging features in Parse Server to trace LiveQuery subscription events and verify that protected fields are correctly filtered per client.
- Implement test clients that simulate concurrent subscriptions with different privilege levels (e.g., master key vs regular clients) to verify if protected fields leak between them.
No explicit detection commands or scripts are mentioned in the provided resources.
Can you explain this vulnerability to me?
CVE-2026-34363 is a high-severity vulnerability in the Parse Server LiveQuery feature that affects versions prior to 8.6.65 and 9.7.0-alpha.9. The issue occurs when multiple clients subscribe concurrently to the same class via LiveQuery. Event handlers process each subscriber using shared mutable objects without proper isolation. Because the sensitive data filter modifies these shared objects in-place, protected fields or authentication data can leak between subscribers. This means that one subscriber might receive data that should be hidden from them, or clients that should see the data might receive incomplete information.
Additionally, when an afterEvent Cloud Code trigger is registered, modifications made by one subscriber's trigger can leak to other subscribers through the shared mutable state. The root cause is improper synchronization and concurrent execution using shared resources, leading to race conditions and data leakage.
The vulnerability was fixed by deep-cloning the shared objects at the start of each subscriber's processing callback, ensuring each subscriber operates on an independent copy of the data. This prevents unauthorized data exposure and preserves data integrity.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure of sensitive and protected fields, including authentication data, to clients that should not have access to them. This means that confidential information could be leaked to unauthorized users.
It can also cause clients that are authorized to see certain data to receive incomplete or corrupted data due to race conditions in concurrent subscriber processing.
Because the vulnerability allows remote attackers to exploit the LiveQuery feature over the network without requiring privileges or user interaction, it poses a significant security risk to any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-34363, you should immediately upgrade your Parse Server deployment to version 8.6.65 or later, or to version 9.7.0-alpha.9 or later, where the vulnerability has been patched.
The patch fixes the issue by deep-cloning the shared mutable objects for each LiveQuery subscriber, ensuring that sensitive data filters and afterEvent Cloud Code triggers operate on isolated copies, preventing data leakage between concurrent subscribers.
No known workarounds exist, so upgrading is the primary recommended action.