CVE-2026-33429 Overview
CVE-2026-33429 is an information disclosure vulnerability in Parse Server, an open source backend that can be deployed to any infrastructure running Node.js. The vulnerability exists in the LiveQuery feature, where an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value.
Critical Impact
Attackers can infer protected field values through a side-channel timing attack on LiveQuery subscriptions, potentially exposing sensitive boolean flags such as authentication states, premium account status, or feature toggles.
Affected Products
- Parse Server versions prior to 8.6.54
- Parse Server versions 9.6.0-alpha.1 through 9.6.0-alpha.42
- Parseplatform Parse-server for Node.js
Discovery Timeline
- March 24, 2026 - CVE-2026-33429 published to NVD
- March 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33429
Vulnerability Analysis
This vulnerability (CWE-203: Observable Discrepancy) represents a classic side-channel information disclosure attack. The flaw exists in how Parse Server's LiveQuery feature handles protected fields during subscription updates. While the implementation correctly strips protected field values from event payloads before transmission to clients, it fails to suppress the update events themselves when protected fields are modified.
This creates an observable discrepancy where an attacker monitoring LiveQuery subscriptions can determine when a protected field changes by simply observing whether an update event is emitted. For boolean protected fields, this timing-based oracle effectively reveals the field's actual value through inference—if an attacker knows a field toggled from false to true (or vice versa), they can deduce the current state.
Root Cause
The root cause lies in the LiveQuery event emission logic that does not account for whether an update affects only protected fields. The system emits update events based on any field modification, without considering that the mere presence of an event could leak information about protected field changes. The fix requires suppressing update events entirely when the only modified fields are protected, preventing the binary oracle attack vector.
Attack Vector
The attack is network-based and can be executed without authentication or user interaction. An attacker subscribes to LiveQuery for a specific object or class, specifying watch parameters that target protected fields. By monitoring the stream of update events and correlating them with other observable actions, the attacker can deduce:
- When protected boolean fields change state
- The current value of protected boolean fields (through inference from change timing)
- Patterns in protected field modifications that may reveal business logic or user behavior
The attack is particularly effective against boolean fields where the binary nature of the data matches the binary oracle (event/no-event) perfectly.
Detection Methods for CVE-2026-33429
Indicators of Compromise
- Unusual LiveQuery subscription patterns targeting specific objects with protected fields
- High volume of subscription requests from single IP addresses or sessions
- LiveQuery subscriptions that specify watch parameters for fields that should not be publicly accessible
- Correlation between subscription activity and protected field modification times
Detection Strategies
- Monitor LiveQuery subscription requests for attempts to watch protected or sensitive fields
- Implement rate limiting on LiveQuery subscription creation to prevent enumeration attacks
- Log and alert on subscription patterns that target known protected field names across multiple objects
- Review application logs for unusual subscription activity coinciding with sensitive data operations
Monitoring Recommendations
- Enable detailed logging for LiveQuery subscription creation and field watch specifications
- Set up alerts for subscription requests that include known protected field names in watch parameters
- Monitor for sustained connections that receive minimal data but maintain long-lived subscriptions
- Track client behavior patterns to identify reconnaissance or enumeration attempts
How to Mitigate CVE-2026-33429
Immediate Actions Required
- Upgrade Parse Server to version 8.6.54 or later for stable releases
- Upgrade Parse Server to version 9.6.0-alpha.43 or later for alpha releases
- Review which fields are designated as protected and ensure they are appropriately configured
- Audit existing LiveQuery subscriptions for potential exploitation attempts
Patch Information
Parse Platform has released security patches addressing this vulnerability. The fixes are available in the following commits:
- Patch commit 0c0a0a5a37ca821d2553119f2cb3be35322eda4b
- Patch commit c62eacaf38de86913f09240583448360b1cc8e67
For complete details, refer to the GitHub Security Advisory GHSA-qpc3-fg4j-8hgm.
Workarounds
- Disable LiveQuery functionality entirely if not required for application functionality
- Restrict LiveQuery subscriptions to authenticated users with appropriate access controls
- Implement application-level filtering to prevent subscriptions targeting sensitive object classes
- Consider moving highly sensitive boolean fields to separate classes with stricter access controls
# Example: Update Parse Server to patched version
npm update parse-server@8.6.54
# Or for alpha channel users
npm update parse-server@9.6.0-alpha.43
# Verify installed version
npm list parse-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
