Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-33429
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-24 Mar, 2026 | 18:16
Updated At-25 Mar, 2026 | 13:34
Rejected At-
▼CVE Numbering Authority (CNA)
Parse Server: Protected field change detection oracle via LiveQuery watch parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.

Affected Products
Vendor
parse-community
Product
parse-server
Versions
Affected
  • < 8.6.54
  • >= 9.0.0, < 9.6.0-alpha.43
Problem Types
TypeCWE IDDescription
CWECWE-203CWE-203: Observable Discrepancy
Type: CWE
CWE ID: CWE-203
Description: CWE-203: Observable Discrepancy
Metrics
VersionBase scoreBase severityVector
4.06.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10253
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10254
x_refsource_MISC
https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b
x_refsource_MISC
https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67
x_refsource_MISC
Hyperlink: https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/parse-community/parse-server/pull/10253
Resource:
x_refsource_MISC
Hyperlink: https://github.com/parse-community/parse-server/pull/10254
Resource:
x_refsource_MISC
Hyperlink: https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b
Resource:
x_refsource_MISC
Hyperlink: https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found