Primary

Context

Parse Server LiveQuery Class-Level Permission Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Parse Server versions 9.0.0 prior to 9.5.2-alpha.3 and versions prior to 8.6.16, where class-level permissions (CLP) are not properly enforced for LiveQuery subscriptions. This flaw allows unauthenticated or unauthorized clients to subscribe to any LiveQuery-enabled class and receive real-time updates for all objects, bypassing CLP restrictions. As a result, data meant to be protected by CLP is exposed to unauthorized subscribers in real time.

Impact

Exploitation of this vulnerability leads to a bypass of class-level permissions in LiveQuery, allowing unauthorized access to real-time data updates that should be restricted.

Remediation

Users can update to Parse Server versions 9.5.2-alpha.3 or 8.6.16, where this vulnerability has been patched. Alternatively, LiveQuery can be disabled for classes that use CLP restrictions by removing them from the 'liveQuery.classNames' server configuration.

Added: Mar 10, 2026, 9:28 PM

Updated: Mar 10, 2026, 9:28 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.3

remediation

8.3

relevance

3.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.3

remediation

8.3

relevance

3.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server LiveQuery Class-Level Permission Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating