Parse Server is an open-source backend platform that supports LiveQuery, enabling real-time data updates to clients subscribed to specific classes. In versions prior to 9.6.0-alpha.35 and 8.6.50, a critical vulnerability (CVE-2026-33163) exists due to improper handling of sensitive data during LiveQuery event processing when a Parse.Cloud.afterLiveQueryEvent trigger is registered. The vulnerability stems from a reference detachment bug: the LiveQuery server converts the event object to a Parse.Object for the trigger and creates a new JSON copy via toJSONwithObjects(). While the sensitive data filter is applied to the Parse.Object reference, the unfiltered JSON copy is sent to all subscribers, leaking protected fields configured via Class-Level Permissions (CLP) and authData, including OAuth tokens from third-party providers. This means any user with sufficient CLP permissions to subscribe to the affected class can receive sensitive information of other users. The root cause is that filtering is applied before the JSON copy is assigned back to the response object, allowing unfiltered data to be transmitted. The fix implemented in versions 9.6.0-alpha.35 and 8.6.50 ensures the JSON copy is assigned back before filtering, so the filter operates on the actual data sent to clients. As a workaround, removing all afterLiveQueryEvent triggers prevents the reference detachment and ensures proper filtering. No known exploits are currently reported in the wild. The vulnerability is tracked under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS 4.0 base score of 8.2, reflecting high severity with network attack vector, low attack complexity, no user interaction, and no privileges required.

The vulnerability allows unauthorized subscribers of LiveQuery events to receive sensitive protected fields and authentication data, including OAuth tokens, belonging to other users. This exposure can lead to significant confidentiality breaches, enabling attackers to impersonate users, access third-party services, or escalate privileges within the affected application. Organizations relying on parse-server for backend services, especially those using LiveQuery with afterLiveQueryEvent triggers, risk data leakage that can compromise user privacy and trust. The impact extends to any application handling sensitive personal information or authentication credentials, potentially resulting in regulatory non-compliance, reputational damage, and financial loss. Since exploitation requires no authentication or user interaction, attackers can remotely and easily access sensitive data if they can subscribe to the affected LiveQuery classes. The scope includes all parse-server deployments running vulnerable versions with afterLiveQueryEvent triggers registered, which may be widespread given parse-server's popularity in mobile and web app backends.

1. Upgrade parse-server to version 9.6.0-alpha.35 or later, or 8.6.50 or later, where the vulnerability is fixed. 2. If immediate upgrade is not possible, remove all Parse.Cloud.afterLiveQueryEvent trigger registrations to prevent the reference detachment bug and ensure proper filtering of protected fields. 3. Review Class-Level Permissions (CLP) and protectedFields configurations to minimize exposure of sensitive data to subscribers. 4. Audit LiveQuery subscriptions and monitor for unusual subscription patterns that could indicate exploitation attempts. 5. Implement network-level access controls to restrict who can subscribe to LiveQuery events, limiting exposure to trusted clients. 6. Conduct thorough testing after upgrades or configuration changes to verify that protected fields and authData are no longer leaked in LiveQuery payloads. 7. Educate development teams about secure use of LiveQuery triggers and the importance of applying patches promptly. 8. Consider additional application-layer encryption or tokenization of sensitive data fields to reduce impact if leaks occur.