CVE-2026-33429 - Vulnerability Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Parse Community	Parse Server
Parseplatform	Parse-server

Configuration 1 [-]

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9::::node.js::*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Parse Community	Parse Server

References

Link	Providers
https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b
https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67
https://github.com/parse-community/parse-server/pull/10253
https://github.com/parse-community/parse-server/pull/10254
https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm

History

Wed, 25 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Parseplatform Parseplatform parse-server
CPEs		cpe:2.3:a:parseplatform:parse-server::::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9::::node.js::*
Vendors & Products		Parseplatform Parseplatform parse-server
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Wed, 25 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Parse Community Parse Community parse Server
Vendors & Products		Parse Community Parse Community parse Server

Tue, 24 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.
Title		Parse Server: Protected field change detection oracle via LiveQuery watch parameter
Weaknesses		CWE-203
References		https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67 https://github.com/parse-community/parse-server/pull/10253 https://github.com/parse-community/parse-server/pull/10254 https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-24T18:16:35.414Z

Updated: 2026-03-25T13:34:05.792Z

Reserved: 2026-03-19T18:45:22.434Z

Link: CVE-2026-33429

Vulnrichment

Updated: 2026-03-25T13:33:58.051Z

NVD

Status : Analyzed

Published: 2026-03-24T19:16:53.883

Modified: 2026-03-25T21:22:23.367

Link: CVE-2026-33429

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T12:19:00Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object