Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-82fj-6jd2-hqc1
Vulnerability ID VCID-82fj-6jd2-hqc1
Aliases CVE-2026-34363
GHSA-m983-v2ff-wq65
Summary LiveQuery protected field leak via shared mutable state across concurrent subscribers ### Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. ### Patches The fix deep-clones the shared objects at the start of each subscriber's processing callback, ensuring each subscriber works on an independent copy. Additionally, a bug was fixed where master key LiveQuery clients could not receive events on classes with protected fields due to an incorrect type passed to the sensitive data filter. ### Workarounds There is no known workaround. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65 - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10330 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10331
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2026-34363
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2026-34363
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2026-34363
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-m983-v2ff-wq65
cvssv4 8.2 https://github.com/parse-community/parse-server
generic_textual HIGH https://github.com/parse-community/parse-server
cvssv4 8.2 https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
generic_textual HIGH https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
ssvc Track https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
cvssv4 8.2 https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
generic_textual HIGH https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
ssvc Track https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
cvssv4 8.2 https://github.com/parse-community/parse-server/pull/10330
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10330
ssvc Track https://github.com/parse-community/parse-server/pull/10330
cvssv4 8.2 https://github.com/parse-community/parse-server/pull/10331
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10331
ssvc Track https://github.com/parse-community/parse-server/pull/10331
cvssv3.1_qr HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
cvssv4 8.2 https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
generic_textual HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
cvssv4 8.2 https://nvd.nist.gov/vuln/detail/CVE-2026-34363
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-34363
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34363
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
https://github.com/parse-community/parse-server/pull/10330
https://github.com/parse-community/parse-server/pull/10331
https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
https://nvd.nist.gov/vuln/detail/CVE-2026-34363
GHSA-m983-v2ff-wq65 https://github.com/advisories/GHSA-m983-v2ff-wq65
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/ Found at https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/ Found at https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10330
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/ Found at https://github.com/parse-community/parse-server/pull/10330
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10331
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/ Found at https://github.com/parse-community/parse-server/pull/10331
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34363
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06809
EPSS Score 0.00023
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:57:16.766695+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-m983-v2ff-wq65/GHSA-m983-v2ff-wq65.json 38.6.0