CVE-2026-34363: LiveQuery protected field leak via shared mutable state across concurrent subscribers
(updated )
When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber’s filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object.
Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber’s trigger modifications can leak to other subscribers through the same shared mutable state.
Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class.
References
- github.com/advisories/GHSA-m983-v2ff-wq65
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
- github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
- github.com/parse-community/parse-server/pull/10330
- github.com/parse-community/parse-server/pull/10331
- github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
- nvd.nist.gov/vuln/detail/CVE-2026-34363
Code Behaviors & Features
Detect and mitigate CVE-2026-34363 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →