Listen to this Post
How CVE-2026-33163 Works
Parse Server’s LiveQuery feature enables real‑time event delivery to subscribed clients. When a client subscribes to a class, it receives create, update, delete, enter, and `leave` events for objects that match its query. Access control is enforced through Class‑Level Permissions (CLP) and per‑object Access Control Lists (ACLs). The vulnerability arises when a single `save` operation modifies both the content of an object and the ACL that governs a subscriber’s read access to that object.
Consider a subscriber who currently has read access to an object. If the same `save` updates a field value and simultaneously removes that subscriber’s read permission, the LiveQuery server generates a `leave` event because the object no longer matches the subscriber’s query (due to the ACL change). However, the `leave` event payload incorrectly includes the post‑update object state – the very field values that the subscriber is no longer authorized to see. This leaks the updated sensitive data to a client that should have lost access.
The symmetric issue occurs when a `save` grants read access to a subscriber while also changing field values. In this case, an `enter` event is triggered, but the payload contains the pre‑grant object state – the data that the subscriber was not permitted to read before the change. Thus, the subscriber receives information they should never have seen.
The disclosure is limited to the single object affected by that `save` and is delivered only to the subscriber whose access changed. Applications that combine content modifications with access‑control changes in the same `save` on LiveQuery‑enabled classes are vulnerable. The fix now verifies the subscriber’s authorization for the specific object state included in `leave` and `enter` events. For a `leave` caused by losing read access, the event delivers the last authorized object state instead of the post‑update body. For an `enter` caused by gaining read access, the previously unauthorized original state is omitted. Events caused by normal query‑match changes (where read access is retained) and master‑key subscribers are unaffected.
DailyCVE Form
| Field | Value |
|–|–|
| Platform | Parse Server |
| Version | < 8.6.50, < 9.6.0‑alpha.35 |
| Vulnerability | LiveQuery ACL bypass |
| Severity | Medium (CVSS 5.3) |
| Date | 2026‑03‑18 |
| Prediction | Patch already released |
What Undercode Say: Analytics
The vulnerability stems from the LiveQuery server’s failure to re‑evaluate the subscriber’s read authorization when constructing `leave` and `enter` event payloads after a `save` that alters both data and ACLs. The server previously assumed that the event type alone (leave/enter) was sufficient to determine what data to send, without checking whether the subscriber actually had permission to view the specific object state being delivered.
Bash commands to check your Parse Server version:
Check installed version via npm npm list parse-server Or if running from source, check package.json cat package.json | grep '"parse-server"'
Example of a vulnerable save operation (pseudo‑code):
// DO NOT USE – vulnerable pattern
const object = new Parse.Object("MyClass");
object.set("sensitiveField", "newValue");
const acl = new Parse.ACL();
acl.setReadAccess(user, false); // revoke read access
object.setACL(acl);
await object.save(); // single save – triggers the vulnerability
Analytics query to detect such patterns in your codebase:
Search for save operations that modify both fields and ACL
grep -r ".save(" --include=".js" | grep -E "setACL|setReadAccess|setWriteAccess"
Exploit
An attacker (or malicious subscriber) can craft a subscription to a LiveQuery‑enabled class and then wait for a legitimate `save` that updates an object’s fields while also changing the ACL. The attacker does not need to initiate the save; they only need to be a subscriber whose access is being modified in that same transaction.
Steps to exploit:
- Subscribe to a LiveQuery on a class that uses per‑object ACLs.
- Wait for an administrator or another user to perform a `save` that both changes a field value and alters the ACL (e.g., revoking or granting read access to the attacker’s user).
- The attacker receives a `leave` or `enter` event containing the object state they should not have access to – either the updated values after losing access, or the pre‑update values before gaining access.
This can lead to disclosure of sensitive fields such as personal information, authentication tokens, or internal state that should remain hidden.
Protection
Patch: Upgrade to Parse Server version 8.6.50 or 9.6.0‑alpha.35 or later, where the fix has been applied. The patch ensures that for `leave` events caused by loss of read access, the last authorized object state is sent; for `enter` events caused by gain of read access, the pre‑grant state is omitted.
Workarounds (if patching is not immediately possible):
- Do not combine field updates and ACL changes in the same
save. Perform the content change and the access‑control change in separate `save` operations (before or after each other). This avoids the race condition where the event payload is constructed with the wrong authorization context. - Limit which classes are enabled for LiveQuery. Disable LiveQuery for sensitive classes by removing them from the `liveQuery.classNames` server configuration. This reduces the attack surface.
Additional hardening:
- Use Class‑Level Permissions (CLP) in addition to ACLs, but note that CLP alone does not prevent this issue; the vulnerability is specific to ACL changes within a single
save. - Monitor LiveQuery event logs for unexpected `leave` or `enter` payloads that contain data the subscriber should not have been able to see.
Impact
- Confidentiality: Unauthorized disclosure of object field values to subscribers who have lost (or never had) read access. The leaked data can include sensitive personal information, authentication credentials, or business‑critical fields.
- Scope: Limited to the single object affected by the `save` and only to the subscriber whose ACL changed. However, if an attacker can influence the timing or content of such `save` operations, they may systematically extract sensitive data.
- Affected Deployments: All Parse Server instances using LiveQuery with per‑object ACLs and performing combined content+ACL updates in a single `save` are vulnerable. Versions prior to 8.6.50 and 9.6.0‑alpha.35 are affected.
- Mitigation: Upgrade to the patched versions or apply the workarounds described above. The fix does not affect normal LiveQuery behavior for events where the subscriber’s read access remains unchanged.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
