BIT-PARSE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The...

CVE-2026-34363

The CVE entry maps to a Parse Server LiveQuery vulnerability (prote cted fields/afterEvent triggers) where multiple subscribers sharing a class could see leaked or incomplete data due to in-place edits of shared mutable objects by the sensitive data filter. The root cause is shared mutable state ...

LiveQuery protected field leak via shared mutable state across concurrent subscribers

Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent...

PT-2026-29165

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.65 Parse Server versions prior to 9.7.0-alpha.9 Description Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue where sensitive data can leak to unauthorized...