CVE-2026-57481 Overview
CVE-2026-57481 is an information disclosure vulnerability in Parse Server, an open source backend that runs on Node.js. The flaw affects the LiveQuery subscription mechanism prior to versions 9.9.1-alpha.13 and 8.6.83. When a single save operation simultaneously modified an object field and revoked or granted the subscriber's Access Control List (ACL) read access, the resulting leave and enter events carried the wrong object state. As a result, a LiveQuery subscriber could receive field values they were not authorized to read. The issue is categorized under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
Authenticated LiveQuery subscribers can receive object field data across an ACL read-access boundary change, leaking values the client is no longer or not yet authorized to read.
Affected Products
- Parse Server versions prior to 8.6.83 (8.x branch)
- Parse Server versions prior to 9.9.1-alpha.13 (9.x branch)
- Any Node.js deployment relying on the built-in Parse LiveQuery server
Discovery Timeline
- 2026-07-08 - CVE-2026-57481 published to NVD
- 2026-07-08 - Last updated in NVD database
- Patched via commits c9b24ce and e9c85df, released as Parse Server 8.6.83 and 9.9.1-alpha.13, and documented in GHSA-97pr-9hgg-3p8r
Technical Details for CVE-2026-57481
Vulnerability Analysis
Parse Server's LiveQuery feature streams real-time changes over WebSocket to subscribed clients. When an object is modified, the server emits transition events such as enter, leave, update, and create. Each event includes the object body the subscriber is authorized to see.
A leave or enter transition can be triggered by two distinct causes. The first is a query-match change, in which the subscriber retains read access. The second is an ACL change during the same save, where the subscriber gains or loses read authorization. The pre-patch logic in src/LiveQuery/ParseLiveQueryServer.ts did not distinguish between these cases. It sent the post-update body on leave events and the pre-update body on enter events regardless of whether the client was authorized to read that specific state.
Root Cause
The vulnerability stems from missing per-transition ACL verification. Class-Level Permissions (CLP) checks were handled earlier by _matchesCLP, but object-level ACL evaluation was not repeated for the specific object state being delivered. When ACL read access flipped in the same save that changed a watched field, the transition event carried the unauthorized state directly to the client.
Attack Vector
Exploitation requires an authenticated client with an active LiveQuery subscription and low privileges. The attacker maintains a subscription against a class that another actor updates. When a save mutates a watched field and simultaneously revokes the attacker's ACL read access, the resulting leave event discloses the updated field values. The reverse case applies to enter events on ACL grants, exposing the prior object state.
if (!watchFieldsChanged && (type === 'update' || type === 'create')) {
return;
}
// A `leave` or `enter` transition can be caused either by the object's
// query match changing (the subscriber keeps read access) or by the
// subscriber's ACL read access being revoked or granted in the same save.
// In the access-change case the subscriber is not authorized to read the
// object state that triggered the transition, so that state must not be
// sent over the channel. (CLP read denial is handled earlier by
// `_matchesCLP`, which skips the event entirely.)
if (type === 'leave') {
const currentReadable = isCurrentSubscriptionMatched
? false
: await this._matchesACL(message.currentParseObject.getACL(), client, requestId);
if (!currentReadable) {
localCurrentParseObject = JSON.parse(JSON.stringify(localOriginalParseObject));
}
} else if (type === 'enter') {
const originalReadable = isOriginalSubscriptionMatched
? false
: await this._matchesACL(message.originalParseObject.getACL(), client, requestId);
if (!originalReadable) {
localOriginalParseObject = null;
}
}
Source: Parse Server commit c9b24ce. The patch re-evaluates ACL read access for the specific object state being emitted and substitutes an authorized fallback when access is denied.
Detection Methods for CVE-2026-57481
Indicators of Compromise
- LiveQuery leave or enter events delivered to clients whose ACL read access was changed by the same save operation.
- Unexpected field values appearing in WebSocket frames destined for accounts that should no longer match the object ACL.
- Application logs showing successful LiveQuery deliveries followed by permission denials for equivalent REST reads by the same session.
Detection Strategies
- Audit Parse Server versions in production and staging using package manifests to identify hosts running versions below 8.6.83 or 9.9.1-alpha.13.
- Inspect LiveQuery server logs for concurrent ACL updates and field changes within the same save request, correlated with subscriber session identifiers.
- Enable verbose LiveQuery logging in a controlled environment and replay ACL-change scenarios to confirm which subscribers received the affected payloads.
Monitoring Recommendations
- Forward Parse Server and reverse proxy access logs to a centralized log platform for retention and correlation of WebSocket traffic.
- Track outbound LiveQuery payload sizes and event types per client session to identify anomalous event bursts tied to ACL modifications.
- Alert on API requests that update both ACL and non-ACL fields in a single save on classes with active LiveQuery subscribers.
How to Mitigate CVE-2026-57481
Immediate Actions Required
- Upgrade Parse Server to 8.6.83 on the 8.x branch or 9.9.1-alpha.13 on the 9.x branch.
- Restart LiveQuery server processes after upgrade to ensure the patched event handler is loaded.
- Review classes that mix ACL changes with field updates and validate that current subscribers only receive authorized states.
Patch Information
The fix is delivered in commits c9b24ce and e9c85df, merged through PR #10515 and PR #10516. The patched releases are 8.6.83 and 9.9.1-alpha.13. Refer to advisory GHSA-97pr-9hgg-3p8r for the full disclosure.
Workarounds
- Avoid combining ACL modifications and watched field updates in a single save operation until the patch is applied.
- Restrict LiveQuery subscriptions on sensitive classes by limiting the classNames allowed in the LiveQuery configuration.
- Enforce coarser CLP read restrictions where feasible, since CLP checks execute before the affected code path and prevent event emission entirely.
# Upgrade Parse Server using npm
npm install parse-server@8.6.83
# or for the 9.x pre-release branch
npm install parse-server@9.9.1-alpha.13
# Verify installed version
npm ls parse-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

