Parse Server is an open-source backend platform running on Node.js, widely used for mobile and web applications. In versions prior to 9.6.0-alpha.35 and 8.6.50, a vulnerability (CVE-2026-33163) exists in the LiveQuery server component when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class. LiveQuery allows clients to subscribe to real-time updates on data objects. The vulnerability arises because the server creates a Parse.Object for the event and then generates a JSON copy via toJSONwithObjects(). The sensitive data filtering mechanism is applied only to the original Parse.Object reference, not the JSON copy actually sent to clients. Consequently, protected fields configured via Class-Level Permissions (protectedFields), including sensitive personal data and OAuth tokens in authData, are leaked to all subscribers of that class’s LiveQuery events (create, update, delete, enter, leave). This exposure occurs without requiring authentication or user interaction, only subscription permissions to the class. The root cause is a reference detachment bug in the event processing logic. The fix implemented in versions 9.6.0-alpha.35 and 8.6.50 ensures the JSON copy is reassigned to the response object before filtering, so the filter operates on the data sent to clients. As an immediate mitigation, removing all afterLiveQueryEvent triggers prevents the detachment and thus the leak. No known exploits are reported in the wild yet, but the vulnerability has a CVSS 4.0 score of 8.2 (high severity) due to the ease of exploitation and sensitive data exposure.

This vulnerability can lead to unauthorized disclosure of sensitive user information, including personal data and OAuth tokens from third-party authentication providers. Such exposure can facilitate identity theft, account takeover, and unauthorized access to third-party services. Organizations using affected parse-server versions with LiveQuery and afterLiveQueryEvent triggers risk significant confidentiality breaches. The leak affects all subscribers with sufficient Class-Level Permissions, potentially including malicious insiders or compromised accounts. Since OAuth tokens are exposed, attackers could escalate privileges or pivot to other systems. The vulnerability does not impact data integrity or availability directly but severely compromises confidentiality. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR), and cause financial losses. The ease of exploitation and lack of required user interaction increase the risk of widespread abuse once exploited.

Organizations should immediately upgrade parse-server to version 9.6.0-alpha.35 or later, or 8.6.50 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, remove all Parse.Cloud.afterLiveQueryEvent trigger registrations to prevent the reference detachment bug and stop sensitive data leakage. Review Class-Level Permissions and minimize subscription permissions to only trusted users. Audit LiveQuery usage and monitor for unusual subscription activity. Implement additional application-layer encryption or token obfuscation if possible to reduce impact of leaks. Regularly review and rotate OAuth tokens and credentials to limit exposure duration. Stay updated with parse-community advisories for any further patches or mitigations. Consider isolating LiveQuery servers or restricting network access to trusted clients to reduce attack surface.