GHSA-mmg8-87c5-jrc2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mmg8-87c5-jrc2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mmg8-87c5-jrc2/GHSA-mmg8-87c5-jrc2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mmg8-87c5-jrc2
- Aliases
- Published
- 2026-04-01T00:07:39Z
- Modified
- 2026-04-06T15:27:07.776510020Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
- Details
-
Impact
An authenticated user with
findclass-level permission can bypass theprotectedFieldsclass-level permission setting on LiveQuery subscriptions. By sending a subscription with a$or,$and, or$noroperator value as a plain object with numeric keys and alengthproperty (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value.Patches
The fix validates that
$or,$and, and$noroperator values are arrays in the LiveQuery subscription handler, the query depth checker, and the protected-field guard. As defense in depth, the LiveQuery query evaluator also rejects non-array values for these operators.Workarounds
There is no known workaround.
- Database specific
{ "nvd_published_at": "2026-03-31T16:16:34Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-843" ], "github_reviewed_at": "2026-04-01T00:07:39Z" }- References
-
- https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2
- https://nvd.nist.gov/vuln/detail/CVE-2026-34595
- https://github.com/parse-community/parse-server/pull/10350
- https://github.com/parse-community/parse-server/pull/10351
- https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98
- https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2
- https://github.com/parse-community/parse-server
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server