8 matches found
BIT-PARSE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...
CVE-2026-33421
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...
CVE-2026-33421
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...
CVE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...
CVE-2026-33421
Parse Server’s LiveQuery WebSocket interface historically did not enforce Class-Level Permission pointer permissions (readUserFields and pointerFields) prior to versions 8.6.53 and 9.6.0-alpha.42. Any authenticated user could subscribe to LiveQuery events and receive real-time updates for objects...
Incorrect Authorization
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker...
GHSA-FPH2-R4QG-9576 Parse Server's LiveQuery bypasses CLP pointer permission enforcement
Impact Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions,...
PT-2026-26759
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.53 Parse Server versions prior to 9.6.0-alpha.42 Description Parse Server’s LiveQuery WebSocket interface did not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields...