CVE-2026-33421

EPSS 0.01%
Veröffentlicht 24.03.2026 18:14:30
Zuletzt bearbeitet 25.03.2026 21:22:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.53

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.6.0

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha11 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha12 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha13 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha14 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha15 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha16 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha17 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha18 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha19 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha20 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha21 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha22 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha23 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha24 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha25 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha26 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha27 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha28 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha29 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha30 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha31 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha32 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha33 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha34 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha35 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha36 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha37 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha38 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha39 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha40 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha41 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.009

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576

Vendor Advisory

https://github.com/parse-community/parse-server/pull/10250

Issue Tracking

https://github.com/parse-community/parse-server/pull/10252

Issue Tracking

https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea

Patch

https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33421

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33421

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33421

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33421