CVE-2026-32098
Severity CVSS v4.0:
MEDIUM
Type:
CWE-200
Information Leak / Disclosure
Publication date:
11/03/2026
Last modified:
13/03/2026
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* | 8.6.35 (excluding) | |
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* | 9.0.0 (including) | 9.6.0 (excluding) |
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page