EXECUTIVE SUMMARY:
The vulnerability CVE-2026-33163 CVSS score: 8.2 – High severity affects the parse-community parse-server and arises due to improper handling of protected data in LiveQuery event processing. Specifically, when a Parse. Cloud. afterLiveQueryEvent trigger is configured for a class, the server unintentionally exposes sensitive fields, including protectedFields and authentication-related data, to all subscribed clients. This issue impacts versions >= 9.0.0, < 9.6.0-alpha.35, < 8.6.50, where the LiveQuery mechanism includes restricted data in event payloads such as create, update, delete, enter, and leave operations. An attacker or any user with sufficient class-level subscription permissions can access sensitive information belonging to other users without authorization, leading to a significant breach of data confidentiality. The vulnerability does not require user interaction and can be exploited remotely with low attack complexity, increasing its risk profile. The exposure of protected fields undermines class-level permission controls and may result in leakage of personal or authentication data across tenants or users. Overall, this flaw represents a serious information disclosure vulnerability in Parse Server deployments relying on LiveQuery functionality.
RECOMMENDATION:
We strongly recommend you update parse-server to version 8.6.50 or 9.6.0-alpha.35.
REFERENCES:
The following reports contain further technical details: