Parse Server is an open-source backend platform that runs on Node.js and supports LiveQuery, a feature enabling real-time data subscriptions. In versions prior to 9.6.0-alpha.9 and 8.6.35, a vulnerability (CVE-2026-32098) exists whereby an attacker can exploit LiveQuery subscriptions to leak protected field values without direct access. The attack leverages the ability to subscribe to LiveQuery events with a WHERE clause that references protected fields, including through dot-notation or regular expressions. By observing whether LiveQuery events are triggered for objects matching the query, the attacker creates a boolean oracle that reveals whether certain protected field values meet the query criteria. This side-channel attack bypasses the intended Class-Level Permissions that protect sensitive fields, effectively exposing confidential information to unauthorized actors. The vulnerability affects any class configured with protectedFields and LiveQuery enabled, making it broadly applicable in deployments using these features. No authentication or user interaction is required, and the attack can be performed remotely over the network. The vulnerability was assigned CVE-2026-32098 and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It has a CVSS 4.0 base score of 6.9, indicating a medium severity. The issue was resolved in parse-server versions 9.6.0-alpha.9 and 8.6.35 by fixing the LiveQuery subscription handling to prevent inference of protected field values.

This vulnerability can lead to unauthorized disclosure of sensitive information stored in protected fields of parse-server databases. Organizations relying on parse-server for backend services, especially those using LiveQuery and protectedFields configurations, risk leaking confidential data such as personally identifiable information, credentials, or business-critical details. The exposure occurs without authentication or user interaction, increasing the attack surface and enabling remote exploitation. This can undermine data confidentiality, violate compliance requirements, and damage organizational reputation. Attackers can perform reconnaissance to infer sensitive data values, potentially facilitating further attacks such as targeted phishing, identity theft, or privilege escalation. Since parse-server is widely used in mobile and web applications globally, the impact can be significant, especially for industries handling sensitive user data like finance, healthcare, and e-commerce.

The primary mitigation is to upgrade parse-server to version 9.6.0-alpha.9 or later, or 8.6.35 or later, where the vulnerability is patched. Until upgrades can be applied, organizations should consider disabling LiveQuery subscriptions on classes with protectedFields configured to prevent exploitation. Review and tighten Class-Level Permissions to minimize exposure of sensitive fields. Implement network-level controls such as firewall rules or API gateways to restrict access to LiveQuery endpoints only to trusted clients. Monitor LiveQuery subscription patterns for unusual or suspicious queries that may indicate exploitation attempts. Employ logging and alerting on backend access to detect potential reconnaissance activity. Conduct a thorough audit of data exposure risks in parse-server deployments and apply defense-in-depth controls such as encryption of sensitive data at rest and in transit. Finally, educate developers and administrators about the risks of enabling LiveQuery with protectedFields and encourage timely patch management.