Parse Server is an open-source backend platform that supports real-time data synchronization through its LiveQuery WebSocket interface. CVE-2026-33421 is an authorization bypass vulnerability classified under CWE-863 (Incorrect Authorization). In affected versions prior to 8.6.53 and between 9.0.0 and 9.6.0-alpha.42, the LiveQuery interface does not enforce Class-Level Permission (CLP) pointer permissions, specifically the readUserFields and pointerFields restrictions. These pointer permissions are designed to restrict access to objects based on pointer fields referencing specific users. Due to this flaw, any authenticated user can subscribe to LiveQuery events and receive updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields actually reference the subscribing user. This effectively bypasses the intended access control mechanisms that are correctly enforced in the REST API, leading to unauthorized disclosure of potentially sensitive data in real-time. The vulnerability requires the attacker to be authenticated but does not require additional user interaction, making exploitation feasible in environments where user credentials are compromised or where users have legitimate access but should not see certain data. The vulnerability has a CVSS 4.0 base score of 7.1, reflecting its high severity due to network exploitability, low attack complexity, no privileges required beyond authentication, and significant confidentiality impact. The issue was publicly disclosed on March 24, 2026, and patches are available in parse-server versions 8.6.53 and 9.6.0-alpha.42. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is unauthorized access to sensitive data through real-time updates, which can lead to confidentiality breaches. Organizations relying on parse-server for backend services, especially those handling sensitive or personal data, risk exposing user information to unauthorized authenticated users. This can result in data leakage, privacy violations, and potential compliance issues with data protection regulations such as GDPR or HIPAA. Since the vulnerability affects the LiveQuery WebSocket interface, attackers can continuously receive updates, amplifying the risk of data exposure over time. The flaw undermines the integrity of access controls, potentially eroding trust in the system’s security. Additionally, organizations may face reputational damage and legal consequences if sensitive data is leaked. The vulnerability affects all deployments running the vulnerable versions, which may include startups, enterprises, and service providers globally that use parse-server as their backend infrastructure.

Organizations should immediately upgrade parse-server to version 8.6.53 or later, or 9.6.0-alpha.42 or later, where the vulnerability is patched. Until upgrades are applied, administrators should consider disabling the LiveQuery WebSocket interface if real-time updates are not critical to their applications. Implement strict monitoring and logging of WebSocket connections to detect unusual subscription patterns or unauthorized access attempts. Review and audit user authentication and authorization policies to limit the number of users with access to LiveQuery features. Employ network segmentation and Web Application Firewalls (WAFs) to restrict access to the parse-server backend from untrusted networks. Conduct thorough security testing and code reviews focusing on access control enforcement in real-time data interfaces. Educate developers and administrators about the risks of bypassed pointer permissions and encourage prompt patch management. Finally, consider implementing additional application-layer encryption or tokenization of sensitive data to reduce exposure risk even if unauthorized subscriptions occur.