CVE-2026-34595
ProtectedFields Bypass in Parse Server LiveQuery via Array-Like Objects
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | to 8.6.70 (exc) |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.7.0 (exc) |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34595 is a security vulnerability in the Parse Server's LiveQuery feature that allows an authenticated user with find class-level permission to bypass the protectedFields class-level permission setting.
The vulnerability occurs because the LiveQuery subscription handler improperly handles logical operators ($or, $and, $nor) when their values are provided as array-like objects (plain objects with numeric keys and a length property) instead of proper arrays. This type confusion allows the protected-field guard to be bypassed.
As a result, an attacker can send specially crafted subscription queries that cause the subscription event firing to act as a binary oracle, enabling them to infer whether a protected field matches a given test value, effectively leaking protected information.
The issue was fixed by enforcing strict validation that the values for these logical operators must be genuine arrays, rejecting any non-array values and thereby preventing the bypass.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with limited permissions (find class-level permission) to bypass protectedFields restrictions in LiveQuery subscriptions.
Through this bypass, an attacker can infer sensitive or protected data fields that should normally be inaccessible, effectively leaking confidential information.
Although the impact on integrity and availability is none, the confidentiality impact is low but significant because it exposes protected data fields.
Since the attack requires only low privileges and no user interaction, it can be exploited remotely over the network, increasing the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves bypassing protected-field guards in Parse Server's LiveQuery feature by sending subscription queries with logical operators ($or, $and, $nor) using array-like objects instead of arrays. Detection involves monitoring LiveQuery subscription queries for such malformed logical operator values.
Specifically, you can detect suspicious queries where $or, $and, or $nor operators have values that are plain objects with numeric keys and a length property rather than proper arrays.
Since the vulnerability is exploited via crafted LiveQuery subscription requests, network detection could involve inspecting LiveQuery traffic for queries with these characteristics.
No explicit detection commands are provided in the resources, but you can implement logging or query validation hooks in your Parse Server instance to log or reject queries where these logical operators have non-array values.
For example, you might use server-side logging or debugging to capture LiveQuery subscription payloads and check for the presence of $or, $and, or $nor operators with object values that have numeric keys and a length property.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade your Parse Server to a patched version where this vulnerability is fixed.
- Upgrade to Parse Server version 8.6.70 or later, or 9.7.0-alpha.18 or later, where the fix has been implemented.
- The fix enforces strict validation that the values for $or, $and, and $nor operators in LiveQuery subscriptions and REST queries must be genuine arrays, rejecting any queries with array-like objects.
- If immediate upgrade is not possible, consider implementing custom validation on your LiveQuery subscription queries to reject or sanitize queries where logical operators have non-array values.
No known workarounds exist other than applying the patch or upgrading to a fixed version.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Parse Server allows an authenticated user with find class-level permission to bypass protectedFields class-level permission on LiveQuery subscriptions, potentially exposing protected data fields. This unauthorized access to protected information could lead to data leakage.
Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. The ability to infer protected field values through this bypass could be considered a violation of confidentiality requirements mandated by these standards.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.