CVE-2026-57481
Received Received - Intake

LiveQuery ACL Bypass in Parse Server

Vulnerability report for CVE-2026-57481, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
parse_server parse_server to 8.6.83 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows a LiveQuery subscriber to receive object field values they are not authorized to read due to incorrect object state being included in leave and enter events. Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

This vulnerability affects Parse Server versions prior to 9.9.1-alpha.13 and 8.6.83. It occurs when a LiveQuery subscriber receives object field values they are not authorized to read. This happens because, during a single save operation that changes both an object field and the subscriber's ACL (Access Control List) read access, the leave and enter events include the wrong object state.

Impact Analysis

The impact of this vulnerability is that unauthorized users subscribing to LiveQuery could see data fields they should not have access to. This could lead to unintended data exposure and potential privacy breaches.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 9.9.1-alpha.13 or later, or version 8.6.83 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart