CVE-2026-30947: Parse Server has a bypass of class-level permissions in LiveQuery
Class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions.
All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time.
References
- github.com/advisories/GHSA-7ch5-98q2-7289
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.16
- github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3
- github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289
- nvd.nist.gov/vuln/detail/CVE-2026-30947
Code Behaviors & Features
Detect and mitigate CVE-2026-30947 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →