Parse Server has a protected field change detection oracle via LiveQuery watch parameter
GHSA-qpc3-fg4j-8hgm · BIT-parse-2026-33429 · CVE-2026-33429
Published · Modified
Description
Impact
An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value.
Patches
The watch parameter is now validated against protected fields at subscription time, mirroring the existing validation for the where clause. Subscriptions that include protected fields in watch are rejected with a permission error. Master key connections are exempt.
Workarounds
None.
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33429
- WEB https://github.com/parse-community/parse-server/pull/10253
- WEB https://github.com/parse-community/parse-server/pull/10254
- WEB https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b
- WEB https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes