Parse Server is an open-source backend framework that runs on Node.js, widely used for building mobile and web applications. The vulnerability CVE-2026-32098 arises from the way LiveQuery subscriptions handle queries involving protected fields. LiveQuery allows clients to subscribe to real-time updates on database objects. In affected versions (>=9.0.0 and <9.6.0-alpha.9, and <8.6.35), an attacker can craft a subscription with a WHERE clause referencing protected fields, including through dot-notation or regular expressions. Although these fields are protected and not directly exposed, the attacker can infer their values by monitoring whether LiveQuery events are triggered for matching objects. This creates a side-channel or boolean oracle that leaks sensitive information without direct access to the data. The vulnerability exploits the interaction between Class-Level Permissions' protectedFields and LiveQuery's event delivery mechanism. No authentication or user interaction is required, and the attack can be performed remotely. The issue is resolved in parse-server versions 9.6.0-alpha.9 and 8.6.35 by correcting how LiveQuery handles protected fields in subscriptions to prevent information leakage.

This vulnerability enables unauthorized actors to infer sensitive information from protected fields in parse-server databases, potentially exposing confidential user data or application secrets. Since parse-server is often used as a backend for mobile and web applications, data leakage can compromise user privacy, violate compliance requirements, and damage organizational reputation. The attack requires no authentication, increasing the risk of widespread exploitation. Although no direct data extraction occurs, the boolean oracle technique can reveal critical information over time, which attackers can leverage for further attacks such as social engineering, identity theft, or privilege escalation. Organizations relying on vulnerable parse-server versions face risks of data breaches and loss of trust. The impact is heightened for applications handling sensitive personal, financial, or proprietary data.

Organizations should upgrade parse-server to version 9.6.0-alpha.9 or later, or 8.6.35 or later, where the vulnerability is fixed. Until upgrades are applied, administrators should consider disabling LiveQuery subscriptions on classes with protectedFields configured to prevent exploitation. Review and tighten Class-Level Permissions to minimize exposure of sensitive fields and restrict access where possible. Implement network-level controls such as IP whitelisting or VPN access to limit exposure of parse-server endpoints. Monitor LiveQuery subscription patterns and logs for suspicious activity indicative of probing or boolean oracle attacks. Conduct thorough security testing of parse-server deployments, especially when using LiveQuery features. Educate developers on secure configuration practices and the risks of exposing sensitive data via real-time subscriptions.