CVE-2026-33163 Overview
CVE-2026-33163 is a high-severity information disclosure vulnerability in Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability allows the LiveQuery server to leak protected fields and authentication data (authData) to all subscribers of a class when a Parse.Cloud.afterLiveQueryEvent trigger is registered.
Critical Impact
Any user with sufficient Class-Level Permissions (CLP) to subscribe to an affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers.
Affected Products
- Parse Server versions prior to 8.6.50
- Parse Server versions 9.6.0-alpha1 through 9.6.0-alpha34
- Parse Server deployments using Parse.Cloud.afterLiveQueryEvent triggers with protected fields
Discovery Timeline
- March 18, 2026 - CVE-2026-33163 published to NVD
- March 19, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33163
Vulnerability Analysis
This vulnerability represents a reference detachment bug in Parse Server's LiveQuery implementation. The issue manifests when protected fields configured via Class-Level Permissions (protectedFields) are included in LiveQuery event payloads for all event types including create, update, delete, enter, and leave operations. The vulnerability exposes sensitive data that should be restricted, including OAuth tokens from third-party authentication providers stored in the authData field.
The flaw allows unauthorized information disclosure across user boundaries, meaning any authenticated user with subscription permissions to an affected class can intercept protected data belonging to other users. This creates a significant privacy breach vector in multi-tenant Parse Server deployments.
Root Cause
The vulnerability was caused by a reference detachment bug in the LiveQuery event handling code. When an afterEvent trigger is registered, the LiveQuery server performs a series of operations that inadvertently bypass the sensitive data filter:
- The LiveQuery server converts the event object to a Parse.Object for the trigger
- It then creates a new JSON copy via toJSONwithObjects()
- The sensitive data filter was applied to the Parse.Object reference
- However, the unfiltered JSON copy was the actual data sent to clients
This sequence results in the filter operating on a different object than what is transmitted to subscribers.
Attack Vector
An attacker with valid credentials and sufficient Class-Level Permissions to subscribe to an affected class can exploit this vulnerability by subscribing to LiveQuery events. When other users create, update, or otherwise interact with objects in that class, the attacker's subscription receives the full unfiltered data including protected fields and authentication tokens.
The attack requires:
- A Parse Server instance with Parse.Cloud.afterLiveQueryEvent triggers registered
- Classes with protected fields configured via Class-Level Permissions
- Attacker having CLP permissions to subscribe to the affected class
Detection Methods for CVE-2026-33163
Indicators of Compromise
- Unusual subscription patterns to classes containing sensitive user data
- Unexpected LiveQuery connections from single accounts monitoring multiple classes
- Authentication token usage from IP addresses different from original authentication source
- Anomalous access to third-party services using leaked OAuth tokens
Detection Strategies
- Audit Parse Server configurations for Parse.Cloud.afterLiveQueryEvent trigger registrations
- Review Class-Level Permissions to identify classes with protected fields that also allow subscriptions
- Monitor LiveQuery WebSocket connections for suspicious subscription behavior
- Analyze server logs for patterns indicating bulk data harvesting via LiveQuery
Monitoring Recommendations
- Implement logging for all LiveQuery subscription requests with user identity correlation
- Set up alerts for high-volume LiveQuery event consumption by individual users
- Monitor for OAuth token misuse that could indicate credential theft from this vulnerability
- Track access patterns to classes known to contain sensitive user data
How to Mitigate CVE-2026-33163
Immediate Actions Required
- Upgrade Parse Server to version 8.6.50 or 9.6.0-alpha.35 or later
- Review and rotate any OAuth tokens that may have been exposed through LiveQuery
- Audit user data for potential unauthorized access during the vulnerable period
- Notify affected users if sensitive personal information may have been compromised
Patch Information
The fix has been released in Parse Server versions 9.6.0-alpha.35 and 8.6.50. The patch ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. For technical implementation details, see GitHub Pull Request #10232 and GitHub Pull Request #10233.
Additional information is available in the GitHub Security Advisory GHSA-5hmj-jcgp-6hff.
Workarounds
- Remove all Parse.Cloud.afterLiveQueryEvent trigger registrations from your Parse Server deployment
- Without an afterEvent trigger, the reference detachment does not occur and protected fields are correctly filtered
- Restrict Class-Level Permissions to limit subscription access to sensitive classes
- Consider implementing application-level filtering of sensitive fields before data reaches LiveQuery
# Configuration example
# Review Cloud Code for afterLiveQueryEvent triggers
grep -r "afterLiveQueryEvent" ./cloud/
# Temporarily disable afterLiveQueryEvent triggers until patched
# Comment out or remove trigger registrations like:
# Parse.Cloud.afterLiveQueryEvent('ClassName', async (request) => { ... });
# Verify Parse Server version
npm list parse-server
# Upgrade to patched version
npm install parse-server@8.6.50
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
