CVE-2026-33421: Parse Server Auth Bypass Vulnerability

CVE-2026-33421 Overview

CVE-2026-33421 is an Authorization Bypass vulnerability affecting Parse Server, an open source backend that can be deployed to any infrastructure running Node.js. The vulnerability exists in the LiveQuery WebSocket interface, which fails to properly enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). This allows any authenticated user to subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user.

Critical Impact

Authenticated attackers can bypass intended read access controls to access potentially sensitive data in real-time that is correctly restricted via the REST API.

Affected Products

• Parse Server versions prior to 8.6.53
• Parse Server versions 9.6.0-alpha1 through 9.6.0-alpha41
• parseplatform parse-server for Node.js

Discovery Timeline

• March 24, 2026 - CVE-2026-33421 published to NVD
• March 25, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33421

Vulnerability Analysis

The vulnerability stems from an incomplete implementation of Class-Level Permission (CLP) enforcement within Parse Server's LiveQuery functionality. While the REST API correctly restricts access based on pointer permissions (readUserFields and pointerFields), the LiveQuery WebSocket interface fails to apply these same access control checks when processing subscription requests.

When a user subscribes to a LiveQuery channel, the server should validate that the requesting user has appropriate permissions based on the CLP pointer fields. However, the vulnerable code path did not properly evaluate the return value from the _matchesCLP function, allowing all authenticated users to receive real-time updates regardless of whether they should have access to the data.

This creates a significant security gap where data that appears properly protected through the Parse Dashboard or REST API can be exfiltrated through the LiveQuery WebSocket connection.

Root Cause

The root cause is a logic error in src/LiveQuery/ParseLiveQueryServer.ts where the _matchesCLP function was called but its return value was not properly evaluated. The function would execute the CLP matching logic, but the result was discarded, and the code would proceed to push updates to subscribers regardless of whether the CLP check passed or failed.

The vulnerability is classified as CWE-863 (Incorrect Authorization), where the software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource.

Attack Vector

An attacker can exploit this vulnerability over the network by authenticating with any valid user credentials and establishing a WebSocket connection to the LiveQuery endpoint. Once connected, the attacker subscribes to classes that use pointer-based permissions for access control. The server will then broadcast real-time object updates to the attacker even when the pointer fields on those objects do not reference the attacker's user.

This allows unauthorized access to potentially sensitive user data, private messages, personal information, or any other data protected by CLP pointer permissions.

// Security patch from src/LiveQuery/ParseLiveQueryServer.ts
// Source: https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee

           const op = this._getCLPOperation(subscription.query);
           let res: any = {};
           try {
-            await this._matchesCLP(
+            const matchesCLP = await this._matchesCLP(
               classLevelPermissions,
               message.currentParseObject,
               client,
               requestId,
               op
             );
+            if (matchesCLP === false) {
+              return null;
+            }
             const isMatched = await this._matchesACL(acl, client, requestId);
             if (!isMatched) {
               return null;

Detection Methods for CVE-2026-33421

Indicators of Compromise

• Unusual volume of WebSocket connections to the LiveQuery endpoint from individual user accounts
• Authenticated users subscribing to classes or tables they should not have access to
• Multiple LiveQuery subscriptions from a single session attempting to access different protected classes
• Log entries showing LiveQuery subscription requests for classes with CLP pointer permissions enabled

Detection Strategies

• Monitor WebSocket connection patterns for anomalous subscription behavior across protected classes
• Implement logging for all LiveQuery subscription requests and correlate with CLP configurations
• Review access logs for users receiving data updates from objects where pointer fields do not reference their user ID
• Deploy application-level monitoring to detect discrepancies between REST API access patterns and LiveQuery subscriptions

Monitoring Recommendations

• Enable verbose logging for the LiveQuery subsystem to capture subscription requests and data push events
• Set up alerts for authenticated users subscribing to multiple classes with CLP pointer permissions in rapid succession
• Monitor for data exfiltration patterns through WebSocket connections
• Audit existing LiveQuery subscriptions against expected access patterns based on your application's permission model

How to Mitigate CVE-2026-33421

Immediate Actions Required

• Upgrade Parse Server to version 8.6.53 or later for the stable branch
• Upgrade to version 9.6.0-alpha.42 or later if using the alpha release track
• Review and audit any classes using CLP pointer permissions (readUserFields and pointerFields) for potential data exposure
• Consider temporarily disabling LiveQuery for sensitive classes until the patch is applied

Patch Information

Parse Server maintainers have released patched versions addressing this vulnerability. The fix ensures that the return value from _matchesCLP is properly evaluated, and connections that fail the CLP pointer permission check are denied access to the data stream.

Relevant resources:

• GitHub Security Advisory GHSA-fph2-r4qg-9576
• Patch Commit for stable branch
• Patch Commit for alpha branch

Workarounds

• Disable LiveQuery functionality entirely if it is not required for your application
• Move sensitive data protected by pointer permissions to separate classes and disable LiveQuery subscriptions for those classes
• Implement additional application-layer access controls before processing LiveQuery events
• Use ACL-based permissions instead of CLP pointer permissions where possible, as ACL checks were correctly enforced

# Configuration example - Disable LiveQuery for specific classes in Parse Server configuration
# In your Parse Server initialization, avoid adding sensitive classes to liveQuery.classNames

# Example Parse Server config (JavaScript)
# const api = new ParseServer({
#   ...
#   liveQuery: {
#     classNames: ['PublicClass', 'AnotherSafeClass'], // Exclude classes with pointer permissions
#   }
# });