GHSA-97PR-9HGG-3P8R
Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42Impact
A Parse Server LiveQuery subscriber can receive object field values they are not authorized to read when a single save changes both an object field and the subscriber's ACL read access to that object. When such a save removes the subscriber's read access, the resulting leave event still carries the post-update object body, disclosing the new field values the subscriber is no longer permitted to read. The symmetric case applies to the enter event: when a save grants read access, the event includes the pre-grant object state the subscriber was not previously permitted to read. The disclosure is bounded to the single object affected by that save and is delivered only to the subscriber whose access changed. Applications that combine content changes with access-control changes in the same save on LiveQuery-enabled classes are affected.
Patches
Parse Server now verifies the subscriber's authorization for the specific object state included in leave and enter events. For a leave caused by the subscriber losing read access, the event delivers the last object state the subscriber was authorized to see instead of the post-update body. For an enter caused by the subscriber gaining read access, the previously unauthorized original object state is omitted. Events caused by a normal query-match change, where the subscriber keeps read access, are unaffected, as are master-key subscribers.
Workarounds
Do not change an object's field values and a subscriber's ACL read access in the same save on LiveQuery-enabled classes; perform the access-control change in a separate save before or after the content change. Alternatively, limit which classes are enabled for LiveQuery.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.9.1-alpha.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.6.82"
},
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.83"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:42:48Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nA Parse Server LiveQuery subscriber can receive object field values they are not authorized to read when a single `save` changes both an object field and the subscriber\u0027s ACL read access to that object. When such a save removes the subscriber\u0027s read access, the resulting `leave` event still carries the post-update object body, disclosing the new field values the subscriber is no longer permitted to read. The symmetric case applies to the `enter` event: when a save grants read access, the event includes the pre-grant object state the subscriber was not previously permitted to read. The disclosure is bounded to the single object affected by that save and is delivered only to the subscriber whose access changed. Applications that combine content changes with access-control changes in the same save on LiveQuery-enabled classes are affected.\n\n### Patches\n\nParse Server now verifies the subscriber\u0027s authorization for the specific object state included in `leave` and `enter` events. For a `leave` caused by the subscriber losing read access, the event delivers the last object state the subscriber was authorized to see instead of the post-update body. For an `enter` caused by the subscriber gaining read access, the previously unauthorized original object state is omitted. Events caused by a normal query-match change, where the subscriber keeps read access, are unaffected, as are master-key subscribers.\n\n### Workarounds\n\nDo not change an object\u0027s field values and a subscriber\u0027s ACL read access in the same `save` on LiveQuery-enabled classes; perform the access-control change in a separate save before or after the content change. Alternatively, limit which classes are enabled for LiveQuery.",
"id": "GHSA-97pr-9hgg-3p8r",
"modified": "2026-06-19T21:42:48Z",
"published": "2026-06-19T21:42:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-97pr-9hgg-3p8r"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10515"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10516"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.