Parse Server is an open-source backend platform that supports real-time data synchronization via its LiveQuery WebSocket interface. In affected versions prior to 8.6.53 and between 9.0.0 and 9.6.0-alpha.42, the LiveQuery interface does not correctly enforce Class-Level Permission (CLP) pointer permissions, specifically the readUserFields and pointerFields restrictions. These permissions are designed to restrict access to objects based on pointer fields that reference authorized users. However, due to this incorrect authorization, any authenticated user can subscribe to LiveQuery events and receive updates for all objects in classes that should be protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This results in a bypass of intended access controls that are otherwise enforced by the REST API, exposing potentially sensitive data in real time. The vulnerability is classified under CWE-863 (Incorrect Authorization) and has a CVSS 4.0 base score of 7.1, indicating high severity. Exploitation requires only authentication, no user interaction, and can be performed remotely over the network. The issue was publicly disclosed on March 24, 2026, and patches are available in parse-server versions 8.6.53 and 9.6.0-alpha.42.

This vulnerability can lead to unauthorized disclosure of sensitive data in real time, undermining confidentiality guarantees of applications using parse-server's LiveQuery feature. Attackers with valid credentials can bypass pointer-based access controls and subscribe to data streams they should not access, potentially exposing user information, business data, or other protected content. This can result in privacy violations, regulatory non-compliance, reputational damage, and potential exploitation of exposed data for further attacks. Since LiveQuery is often used for real-time updates in mobile and web applications, the scope of affected systems can be broad, impacting any organization relying on parse-server for backend services. The ease of exploitation (requiring only authentication and no user interaction) increases the risk, especially in environments with weak credential management or insider threats.

Organizations should immediately upgrade parse-server to version 8.6.53 or later, or 9.6.0-alpha.42 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should consider disabling the LiveQuery WebSocket interface if real-time updates are not critical, or implement additional application-layer access controls to restrict subscriptions based on user identity. Monitoring and logging WebSocket subscription requests can help detect anomalous subscription patterns indicative of exploitation attempts. Additionally, enforcing strong authentication mechanisms, such as multi-factor authentication, can reduce the risk of unauthorized access. Regularly auditing class-level permissions and pointer field configurations is recommended to ensure they are correctly set. Finally, developers should review their use of LiveQuery to minimize exposure of sensitive data and consider alternative real-time data delivery mechanisms if necessary.