CVE-2026-30947
HIGH WAF: Low
CVSS 7.5
Published: 2026-03-10
CWE-863
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| parseplatform | parse-server | up to 8.6.16 |
| parseplatform | parse-server | 9.0.0 - 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
References
- github.com (Product, Release Notes)
- github.com (Product, Release Notes)
- github.com (Mitigation, Patch, Vendor Advisory)