{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30947", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.980Z", "datePublished": "2026-03-10T20:16:34.731Z", "dateUpdated": "2026-03-11T14:44:51.461Z"}, "containers": {"cna": {"title": "Parse Server ha a bypass of class-level permissions in LiveQuery", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.16", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0 < 9.5.2-alpha.3", "status": "affected"}, {"version": "< 8.6.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:16:34.731Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16."}], "source": {"advisory": "GHSA-7ch5-98q2-7289", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:42:12.712305Z", "id": "CVE-2026-30947", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:44:51.461Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Parse Server ha a bypass of class-level permissions in LiveQuery", "source": {"advisory": "GHSA-7ch5-98q2-7289", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0 < 9.5.2-alpha.3"}, {"status": "affected", "version": "< 8.6.16"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16", "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.16", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3", "name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:16:34.731Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:42:12.712305Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T14:44:47.045Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-30947", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:16:34.731Z", "dateReserved": "2026-03-07T17:34:39.980Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:16:34.731Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "83C47233-76F8-4D00-9166-30575E9F0C5A", "versionEndExcluding": "8.6.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D", "versionEndExcluding": "9.5.2", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.3 y 8.6.16, los permisos a nivel de clase (CLP) no se aplican para las suscripciones de LiveQuery. Un cliente no autenticado o no autorizado puede suscribirse a cualquier clase habilitada para LiveQuery y recibir eventos en tiempo real para todos los objetos, independientemente de las restricciones de CLP. Todas las implementaciones de Parse Server que utilizan LiveQuery con permisos a nivel de clase se ven afectadas. Los datos destinados a ser restringidos por CLP se filtran a suscriptores no autorizados en tiempo real. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.3 y 8.6.16."}], "id": "CVE-2026-30947", "lastModified": "2026-03-11T17:15:05.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:47.500", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.5.2-alpha.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-16T03:25:31.875812+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.16 or newer, or 9.5.2\u2011alpha.3 or later, which contain the fix that enforces class\u2011level permissions on LiveQuery. ", "If an upgrade cannot be performed immediately, disable the LiveQuery feature in the Parse Server configuration to prevent subscription traffic. ", "Restrict network access to the LiveQuery endpoint using firewall rules or network segmentation, ensuring that only trusted clients can reach it."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized real\u2011time data exposure via LiveQuery"}, "threat_synthesis": {"affected_systems": "All deployments of Parse Server that use LiveQuery with class\u2011level permissions and are running a version earlier than 8.6.16 or earlier than 9.5.2\u2011alpha.3 are affected. The affected product is the open\u2011source Parse Server from Parse Platform, which can be hosted on any Node.js\u2011capable infrastructure.", "description_and_impact": "Parse Server does not enforce class\u2011level permissions for LiveQuery subscriptions prior to version 8.6.16 and 9.5.2\u2011alpha.3. An unauthenticated or unauthorized client can subscribe to any LiveQuery\u2011enabled class and receive real\u2011time events for all objects regardless of the configured permissions. The result is a direct leak of data that should be restricted, allowing an attacker to exfiltrate sensitive information as it changes. This flaw is a classic example of a missing authorization check, identified as CWE\u2011863.", "risk_and_exploitability": "The flaw has a high CVSS score of 8.7, indicating significant impact. The EPSS score is less than 1\u202f%, suggesting that exploitation attempts are unlikely to be widespread at present, and it is not listed in the CISA KEV catalog. However, the vulnerability can be leveraged over the network by sending a subscription request to the LiveQuery endpoint. The attack is feasible for anyone with network access to the Parse Server instance, and no privileged credentials are required. Given the real\u2011time nature of the data leakage, the risk to confidentiality is high even if exploitation is currently rare."}}}}, "created": "2026-03-11T11:42:55.757036+00:00", "updated": "2026-04-16T03:30:06.067380+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}