BIT-parse-2026-57481

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-57481.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-parse-2026-57481
Aliases
Published
2026-07-14T15:50:21.536Z
Modified
2026-07-14T16:40:56.037831743Z
Summary
Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change
Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1 and 8.6.83.

Database specific
{
    "severity": "Low",
    "cpes": [
        "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"
    ]
}
References

Affected packages

Bitnami / parse

Package

Name
parse
Purl
pkg:bitnami/parse

Severity

  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.6.83
Introduced
9.0.0
Fixed
9.9.1

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-57481.json"