{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34595", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.499Z", "datePublished": "2026-03-31T15:10:06.872Z", "dateUpdated": "2026-03-31T17:22:36.470Z"}, "containers": {"cna": {"title": "Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value", "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "lang": "en", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2"}, {"name": "https://github.com/parse-community/parse-server/pull/10350", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10350"}, {"name": "https://github.com/parse-community/parse-server/pull/10351", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10351"}, {"name": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98"}, {"name": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.70", "status": "affected"}, {"version": ">= 9.0.0, < 9.7.0-alpha.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:10:06.872Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18."}], "source": {"advisory": "GHSA-mmg8-87c5-jrc2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T17:22:23.778081Z", "id": "CVE-2026-34595", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:22:36.470Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34595", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T17:22:23.778081Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:22:32.842Z"}}], "cna": {"title": "Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value", "source": {"advisory": "GHSA-mmg8-87c5-jrc2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.70"}, {"status": "affected", "version": ">= 9.0.0, < 9.7.0-alpha.18"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/pull/10350", "name": "https://github.com/parse-community/parse-server/pull/10350", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/pull/10351", "name": "https://github.com/parse-community/parse-server/pull/10351", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "name": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "name": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:10:06.872Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34595", "state": "PUBLISHED", "dateUpdated": "2026-03-31T17:22:36.470Z", "dateReserved": "2026-03-30T17:15:52.499Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T15:10:06.872Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "832B033D-003F-489D-BAAD-D12E1804586D", "versionEndExcluding": "8.6.70", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E3DFF698-B3EE-4DCA-BAF3-9BE52F0F77D7", "versionEndExcluding": "9.7.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3A140D3A-AECC-4CA1-958C-3CA53E313B27", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "80D441B8-3B25-40E5-82E2-71E2A5E2F58F", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "3CDAE590-5625-4B7C-9B52-23A6725F1B92", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha12:*:*:*:node.js:*:*", "matchCriteriaId": "BB2DF38D-26A3-4AB7-8FD3-E9A83995A3BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha13:*:*:*:node.js:*:*", "matchCriteriaId": "8EFBDB24-8B3B-48E9-9332-C283F9C314F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha14:*:*:*:node.js:*:*", "matchCriteriaId": "DEB97B07-FB76-4DF6-B068-C88963E27E21", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha15:*:*:*:node.js:*:*", "matchCriteriaId": "268C8423-0DA1-4C87-95D9-CF0D32504E89", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "BEDAEFBC-DA77-4998-BDD6-A139E15E5CC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "8C9E59AF-3B82-4D61-847B-A18E7DDF7A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "2AB743CC-D168-4313-A5AA-43CF76D178E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "C351C736-AB91-4985-A0B4-43B120F5E5C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "F02797C9-E67D-4BF4-BB56-8D6DA9178322", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "B059E381-D0F6-4425-92C0-167486379A98", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "98C19734-3607-467D-9677-10A1909A8D8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "F55001C0-EDDA-45D9-ABA4-CFF0489C9C01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18."}], "id": "CVE-2026-34595", "lastModified": "2026-04-02T17:12:56.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T16:16:34.087", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10350"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10351"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.70)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.7.0-alpha.18)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-03-31T16:20:41.200362+00:00", "value": {"mitigation_remediation": ["Update to Parse Server version 8.6.70 or later, or 9.7.0-alpha.18 or later, which contain the fix for the LiveQuery protected-field guard", "Review and enforce least\u2011privilege permissions; ensure users without legitimate need do not have find access to classes with protected fields", "If immediate update is not possible, disable LiveQuery subscriptions that enable protected-fields queries or restrict use of the $or, $and, and $nor operators through custom validation logic"], "summary": {"action": "Patch Immediately", "impact": "Data Exposure via LiveQuery Field Bypass"}, "threat_synthesis": {"affected_systems": "The issue affects parse-community's open-source Parse Server deployments. Versions older than or equal to 8.6.69 and 9.7.0-alpha.17 are vulnerable, while 8.6.70 and 9.7.0-alpha.18 patch the flaw. Any infrastructure running those older versions of the software is at risk.", "description_and_impact": "Prior to certain releases of Parse Server, an authenticated user who has permission to perform find operations can circumvent the protectedFields guard on LiveQuery subscriptions. By sending a subscription payload that includes a logical operator such as $or, $and, or $nor, the attacker can replace the expected array with an \"array-like\" object that has numeric keys and a length property. The resulting subscription event acts as a binary oracle, revealing whether a protected field contains a value that matches the attacker\u2019s test. The primary consequence is unauthorized disclosure of data that should be hidden from that user. This vulnerability does not allow arbitrary code execution but can leak confidential information.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting lower known exploitation activity so far. However, the attack requires the attacker to be authenticated and to have find permissions on the target class. Once those conditions are met, the attacker can craft a subscription payload to infer protected field values. Because the exploit relies on normal API usage, it could be performed by any authenticated user if permissions are improperly configured. The risk of data leakage warrants prompt attention."}}}}, "created": "2026-03-31T19:54:13.550587+00:00", "updated": "2026-03-31T20:38:09.713082+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}