CVE-2026-33421: Parse Server's LiveQuery bypasses CLP pointer permission enforcement

March 20, 2026

Parse Server’s LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API.

References

github.com/advisories/GHSA-fph2-r4qg-9576
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10250
github.com/parse-community/parse-server/pull/10252
github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576
nvd.nist.gov/vuln/detail/CVE-2026-33421

Code Behaviors & Features

Detect and mitigate CVE-2026-33421 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →