The vulnerability CVE-2026-34595 in parse-community's parse-server arises from a type confusion issue (CWE-843) in the handling of LiveQuery subscription filters. Parse Server is an open-source backend framework running on Node.js, widely used for real-time applications. The flaw exists in versions prior to 8.6.70 and between 9.0.0 and 9.7.0-alpha.18, where an authenticated user with find class-level permission can bypass the protectedFields class-level permission. This is achieved by crafting a LiveQuery subscription filter using logical operators ($or, $and, $nor) with an array-like object (plain object with numeric keys and a length property) instead of a proper array. The protected-field guard fails to recognize this malformed input, allowing the subscription to access fields that should be restricted. The subscription event firing mechanism then acts as a binary oracle, enabling the attacker to infer whether protected fields match specific test values by observing subscription responses. This side-channel information leak compromises confidentiality of sensitive data fields. The vulnerability requires no user interaction and no privilege escalation beyond find permission, making it relatively easy to exploit in environments where authenticated users exist. The issue has been addressed in parse-server versions 8.6.70 and 9.7.0-alpha.18 by correcting the input validation and protectedFields enforcement logic. No public exploits have been reported yet, but the vulnerability poses a risk to any deployment using affected versions with LiveQuery enabled and protectedFields configured.

This vulnerability can lead to unauthorized disclosure of sensitive data fields that are intended to be protected by class-level protectedFields permissions. Attackers with only find permission can bypass these restrictions on LiveQuery subscriptions, potentially exposing confidential information such as personally identifiable information, credentials, or business-critical data. The binary oracle side-channel allows attackers to infer exact values of protected fields, which can facilitate further attacks such as privilege escalation, data exfiltration, or targeted social engineering. Organizations relying on parse-server for real-time data synchronization and using protectedFields to enforce data confidentiality are at risk. The impact is particularly significant for applications handling sensitive user data, financial information, or regulated data subject to compliance requirements. Although exploitation requires authenticated access, many applications allow user registration or have multiple users, increasing the attack surface. The vulnerability does not affect availability or integrity directly but compromises confidentiality, which can have severe reputational and regulatory consequences.

The primary mitigation is to upgrade parse-server to version 8.6.70 or later, or 9.7.0-alpha.18 or later, where the vulnerability has been patched. Until upgrade is possible, organizations should consider disabling LiveQuery subscriptions or restricting their use to trusted users only. Review and tighten class-level permissions, especially the find permission, to limit the number of users who can perform queries. Implement additional application-layer validation and monitoring to detect unusual subscription patterns that may indicate exploitation attempts. Employ network segmentation and access controls to limit exposure of parse-server instances. Regularly audit logs for suspicious LiveQuery subscription activity. Educate developers and administrators about the risks of using array-like objects in query filters and ensure input validation is robust. Finally, maintain an incident response plan to quickly address any detected exploitation.