CVE-2026-34595 Overview
Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, contains an authorization bypass vulnerability in its LiveQuery subscription handling. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions by exploiting improper type validation of query operators.
Critical Impact
Authenticated attackers can infer protected field values through a binary oracle attack, potentially exposing sensitive user data configured as protected fields in the Parse Server schema.
Affected Products
- Parse Server versions prior to 8.6.70
- Parse Server 9.7.0-alpha1 through 9.7.0-alpha17
- Any Node.js infrastructure running vulnerable Parse Server versions
Discovery Timeline
- March 31, 2026 - CVE-2026-34595 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34595
Vulnerability Analysis
This vulnerability stems from a type confusion weakness (CWE-843) in Parse Server's LiveQuery implementation. The protected-field guard mechanism fails to properly validate the type of values passed to logical query operators ($or, $and, $nor). When these operators receive an "array-like" object (a plain object with numeric keys and a length property) instead of a proper JavaScript array, the validation logic is bypassed entirely.
The subscription event firing mechanism can then be leveraged as a binary oracle. By crafting specific queries targeting protected fields and observing whether subscription events fire, an attacker can systematically infer the values stored in protected fields through repeated queries. This transforms a simple type confusion issue into a data exfiltration vector.
Root Cause
The root cause lies in insufficient input validation within the LiveQuery query constraint handling. The code assumed that logical operators ($or, $and, $nor) would always receive array types, but JavaScript's type coercion allows "array-like" objects to pass through certain checks while behaving differently during iteration. The Array.isArray() check was missing, allowing attackers to supply malformed operator values that bypass the protected-field filtering logic.
Attack Vector
An authenticated attacker with find class-level permissions can exploit this vulnerability remotely over the network. The attack requires:
- Valid authentication credentials with find permissions on the target class
- Knowledge of protected field names in the schema
- Ability to create LiveQuery subscriptions
The attacker constructs subscription queries using array-like objects instead of arrays for logical operators, then monitors subscription events to determine if protected field values match test values.
// Security patch in src/LiveQuery/ParseLiveQueryServer.ts
// Source: https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98
if (typeof where !== 'object' || where === null) {
return;
}
+ for (const op of ['$or', '$and', '$nor']) {
+ if (where[op] !== undefined && !Array.isArray(where[op])) {
+ throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
+ }
+ if (Array.isArray(where[op])) {
+ where[op].forEach((subQuery: any) => {
+ this._validateQueryConstraints(subQuery);
+ });
+ }
+ }
for (const key of Object.keys(where)) {
const constraint = where[key];
if (typeof constraint === 'object' && constraint !== null) {
Detection Methods for CVE-2026-34595
Indicators of Compromise
- Unusual patterns of LiveQuery subscription creation with malformed query operators
- High volume of subscription requests from single authenticated users targeting classes with protected fields
- Query payloads containing $or, $and, or $nor operators with object values instead of arrays
- Subscription events showing systematic probing patterns against protected field values
Detection Strategies
- Monitor Parse Server logs for subscription requests containing non-array values in logical operators
- Implement application-level logging to track LiveQuery subscription patterns by authenticated user
- Deploy web application firewall rules to detect and block malformed query payloads targeting Parse Server endpoints
- Review Parse Server access logs for repeated subscription create/delete cycles from the same session
Monitoring Recommendations
- Enable detailed logging for LiveQuery operations in Parse Server configuration
- Set up alerts for abnormal subscription activity rates per user session
- Monitor for error patterns related to query validation failures after patching
- Implement rate limiting on LiveQuery subscription creation endpoints
How to Mitigate CVE-2026-34595
Immediate Actions Required
- Upgrade Parse Server to version 8.6.70 or later for stable releases
- Upgrade Parse Server to version 9.7.0-alpha.18 or later for alpha channel
- Review access logs for evidence of exploitation attempts prior to patching
- Audit class-level permissions to ensure protected fields are properly configured
Patch Information
Parse Platform has released security patches addressing this vulnerability in two branches:
- Stable Branch: Version 8.6.70 - GitHub Commit f63fd1a
- Alpha Branch: Version 9.7.0-alpha.18 - GitHub Commit ffad0ec
The fix adds explicit Array.isArray() validation for $or, $and, and $nor operator values, throwing an INVALID_QUERY error when non-array values are detected. For detailed information, see the GitHub Security Advisory GHSA-mmg8-87c5-jrc2.
Workarounds
- Restrict LiveQuery access by limiting which classes allow subscriptions through server configuration
- Implement additional authentication requirements for LiveQuery connections at the application layer
- Use network-level controls to limit LiveQuery access to trusted client applications only
- Consider temporarily disabling LiveQuery functionality for classes containing sensitive protected fields until patching is complete
# Configuration example - Upgrade Parse Server via npm
npm update parse-server@8.6.70
# Verify installed version
npm list parse-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
