CVE-2026-33163: Parse Server leaks protected fields via LiveQuery afterEvent trigger

March 18, 2026

When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions (protectedFields) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave).

Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers.

References

github.com/advisories/GHSA-5hmj-jcgp-6hff
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10232
github.com/parse-community/parse-server/pull/10233
github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff
nvd.nist.gov/vuln/detail/CVE-2026-33163

Code Behaviors & Features

Detect and mitigate CVE-2026-33163 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →