CVE-2026-34363 Overview
CVE-2026-34363 is a race condition vulnerability in Parse Server, an open source backend framework designed to run on any infrastructure supporting Node.js. This vulnerability affects the LiveQuery subscription mechanism where multiple clients subscribing to the same class can inadvertently receive sensitive data intended for other subscribers due to improper handling of shared mutable objects.
When multiple clients subscribe to the same class via LiveQuery, event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, creating a race condition where one subscriber's filter removing a protected field can cause subsequent subscribers to receive an already-filtered object. This results in protected fields and authentication data leaking to unauthorized clients, or legitimate clients receiving incomplete data.
Critical Impact
Protected fields and authentication data can leak to unauthorized clients through LiveQuery subscriptions, potentially exposing sensitive user information and credentials across multiple connected clients.
Affected Products
- Parse Server versions prior to 8.6.65
- Parse Server 9.7.0-alpha.1 through 9.7.0-alpha.8
- Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34363 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34363
Vulnerability Analysis
This vulnerability stems from a classic race condition pattern (CWE-362) in the LiveQuery subscription handling mechanism. Parse Server's LiveQuery feature allows real-time communication between clients and the server, enabling clients to receive updates when data changes. The core issue lies in how the server processes multiple concurrent subscribers to the same class.
When a LiveQuery event occurs, the server creates an object representing the changed data and passes it through various filters and triggers. The sensitive data filter is responsible for removing protected fields from objects before they reach unauthorized clients. However, instead of creating a copy of the object for each subscriber, the filter modifies the shared object in-place.
This design flaw means that when multiple clients are subscribed to the same class, the processing order determines which clients receive what data. If Client A's filter removes a protected field first, Client B may receive the filtered object even if Client B should have access to that field. Conversely, if processing order differs, unauthorized clients may receive sensitive data before filters are applied.
Additionally, when afterEvent Cloud Code triggers are registered, modifications made by one subscriber's trigger can leak to other subscribers through the same shared mutable state, further compounding the data exposure risk.
Root Cause
The root cause is the use of shared mutable objects across concurrent subscriber event processing without proper isolation or defensive copying. The LiveQuery event handler processes each subscriber using the same object reference, and in-place modifications by the sensitive data filter create a Time-of-Check Time-of-Use (TOCTOU) race condition. This architectural decision prioritized performance over security isolation, allowing state changes from one subscriber's processing to affect subsequent subscribers.
Attack Vector
This vulnerability is exploitable over the network. An attacker can exploit this vulnerability by:
- Subscribing to a LiveQuery channel for a class containing protected fields
- Timing their subscription to coincide with other legitimate users
- Observing the race condition where protected fields or authentication data leak through due to concurrent processing
- Harvesting sensitive information that should have been filtered based on their access level
The vulnerability requires no special privileges or user interaction. The attack surface includes any Parse Server deployment where multiple clients subscribe to classes containing protected fields or where afterEvent Cloud Code triggers modify data.
Detection Methods for CVE-2026-34363
Indicators of Compromise
- Unusual patterns of LiveQuery subscriptions from single IP addresses or user accounts targeting classes with protected fields
- Log entries showing inconsistent data delivery where clients receive fields they should not have access to
- Client-side complaints about receiving incomplete data objects when they should have full access
- Anomalous spikes in LiveQuery subscription activity coinciding with sensitive data classes
Detection Strategies
- Monitor LiveQuery subscription logs for multiple concurrent subscriptions to the same class from different authentication contexts
- Implement application-level logging to track which fields are delivered to each subscriber and flag inconsistencies
- Review access logs for patterns suggesting exploitation attempts, such as rapid subscribe/unsubscribe cycles
- Deploy network-level monitoring to detect abnormal WebSocket traffic patterns associated with LiveQuery connections
Monitoring Recommendations
- Enable verbose logging for LiveQuery events to capture field-level data delivery information
- Set up alerts for high-volume concurrent subscriptions to classes containing protected fields
- Monitor for authentication tokens or session data appearing in unexpected client responses
- Implement periodic audits comparing expected data access patterns against actual LiveQuery deliveries
How to Mitigate CVE-2026-34363
Immediate Actions Required
- Upgrade Parse Server to version 8.6.65 or 9.7.0-alpha.9 immediately
- Temporarily disable LiveQuery subscriptions for classes containing protected fields if immediate patching is not possible
- Review recent LiveQuery logs to identify potential data exposure incidents
- Audit afterEvent Cloud Code triggers for modifications that could leak through shared state
Patch Information
Parse Platform has released patches addressing this vulnerability. The fix ensures proper isolation of objects processed for each subscriber by implementing defensive copying before applying filters and triggers.
- Stable Branch: Upgrade to Parse Server version 8.6.65 - GitHub Commit 5834e29
- Alpha Branch: Upgrade to Parse Server version 9.7.0-alpha.9 - GitHub Commit 776c71c
For detailed patch information, review GitHub Pull Request #10330 and GitHub Pull Request #10331. The full security advisory is available at GitHub Security Advisory GHSA-m983-v2ff-wq65.
Workarounds
- Disable LiveQuery for classes containing protected fields until the patch can be applied
- Implement rate limiting on LiveQuery subscriptions to reduce the window for race condition exploitation
- Move sensitive data to separate classes that do not use LiveQuery subscriptions
- Review and simplify afterEvent Cloud Code triggers to minimize state modifications during LiveQuery processing
- Consider implementing application-level encryption for sensitive fields as an additional defense layer
# Verify Parse Server version after patching
npm list parse-server | grep parse-server
# Example: Temporarily disable LiveQuery in Parse Server configuration
# In your Parse Server initialization, remove or comment out the liveQuery configuration
# until patching is complete:
# liveQuery: {
# classNames: ['YourClassName'] // Comment out or remove affected classes
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
