Executive Summary

CVE-2026-34595 is a security vulnerability in the Parse Server's LiveQuery feature that allows an authenticated user with find class-level permission to bypass the protectedFields class-level permission setting.

The vulnerability occurs because the LiveQuery subscription handler improperly handles logical operators ($or, $and, $nor) when their values are provided as array-like objects (plain objects with numeric keys and a length property) instead of proper arrays. This type confusion allows the protected-field guard to be bypassed.

As a result, an attacker can send specially crafted subscription queries that cause the subscription event firing to act as a binary oracle, enabling them to infer whether a protected field matches a given test value, effectively leaking protected information.

The issue was fixed by enforcing strict validation that the values for these logical operators must be genuine arrays, rejecting any non-array values and thereby preventing the bypass.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with limited permissions (find class-level permission) to bypass protectedFields restrictions in LiveQuery subscriptions.

Through this bypass, an attacker can infer sensitive or protected data fields that should normally be inaccessible, effectively leaking confidential information.

Although the impact on integrity and availability is none, the confidentiality impact is low but significant because it exposes protected data fields.

Since the attack requires only low privileges and no user interaction, it can be exploited remotely over the network, increasing the risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves bypassing protected-field guards in Parse Server's LiveQuery feature by sending subscription queries with logical operators ($or, $and, $nor) using array-like objects instead of arrays. Detection involves monitoring LiveQuery subscription queries for such malformed logical operator values.

Specifically, you can detect suspicious queries where $or, $and, or $nor operators have values that are plain objects with numeric keys and a length property rather than proper arrays.

Since the vulnerability is exploited via crafted LiveQuery subscription requests, network detection could involve inspecting LiveQuery traffic for queries with these characteristics.

No explicit detection commands are provided in the resources, but you can implement logging or query validation hooks in your Parse Server instance to log or reject queries where these logical operators have non-array values.

For example, you might use server-side logging or debugging to capture LiveQuery subscription payloads and check for the presence of $or, $and, or $nor operators with object values that have numeric keys and a length property.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade your Parse Server to a patched version where this vulnerability is fixed.

• Upgrade to Parse Server version 8.6.70 or later, or 9.7.0-alpha.18 or later, where the fix has been implemented.
• The fix enforces strict validation that the values for $or, $and, and $nor operators in LiveQuery subscriptions and REST queries must be genuine arrays, rejecting any queries with array-like objects.
• If immediate upgrade is not possible, consider implementing custom validation on your LiveQuery subscription queries to reject or sanitize queries where logical operators have non-array values.

No known workarounds exist other than applying the patch or upgrading to a fixed version.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Parse Server allows an authenticated user with find class-level permission to bypass protectedFields class-level permission on LiveQuery subscriptions, potentially exposing protected data fields. This unauthorized access to protected information could lead to data leakage.

Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. The ability to infer protected field values through this bypass could be considered a violation of confidentiality requirements mandated by these standards.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0