CVE-2026-33508: Parse Server LiveQuery subscription query depth bypass

March 20, 2026

Parse Server’s LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.

Deployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients.

References

github.com/advisories/GHSA-6qh5-m6g3-xhq6
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10259
github.com/parse-community/parse-server/pull/10260
github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
nvd.nist.gov/vuln/detail/CVE-2026-33508

Code Behaviors & Features

Detect and mitigate CVE-2026-33508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →