CVE-2026-33421

{"id": "CVE-2026-33421", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T19:16:53.713", "references": [{"url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/pull/10250", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/pull/10252", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.53 y 9.6.0-alpha.42, la interfaz LiveQuery WebSocket de Parse Server no aplica los permisos de puntero de Permiso a Nivel de Clase (CLP) (readUserFields y pointerFields). Cualquier usuario autenticado puede suscribirse a eventos LiveQuery y recibir actualizaciones en tiempo real para todos los objetos en clases protegidas por permisos de puntero, independientemente de si los campos de puntero en esos objetos apuntan al usuario suscriptor. Esto elude el control de acceso de lectura previsto, permitiendo el acceso no autorizado a datos potencialmente sensibles que est\u00e1n correctamente restringidos a trav\u00e9s de la API REST. Este problema ha sido parcheado en las versiones 8.6.53 y 9.6.0-alpha.42."}], "lastModified": "2026-03-25T21:22:58.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3A57C95F-A3AA-44EC-AED8-9DDDF24712AA", "versionEndExcluding": "8.6.53"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A", "versionEndExcluding": "9.6.0", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B84C28F8-AADE-41BB-A0EF-B701AB57DC3A"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7567BB81-7837-4265-B792-6A9B73CECF93"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0035C6F1-21B9-42D1-BE29-690905F3558C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "623FB30A-0693-4449-80FA-16D36B1BE66C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9B420167-CD3E-45A7-AD9A-0F83AEC634BA"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "030A8626-DBBD-4BF2-B362-79B44FB1204D"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D38CFCC3-2AA9-4C8E-9064-FE97E6E8C45C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "65BB78F2-3A1A-4CD1-B8A8-4AB043B5CA50"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EDC98AF7-8620-4A25-9BE5-623672599677"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "23E28E0F-9379-4628-B9DC-8C94A45902CF"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6631BE51-74FB-40C0-9E91-0EDF2DCADD7A"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8B0E4254-14A3-4EB6-9E98-CF45EB08B17F"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0FF63FDE-75F5-44B6-A958-CF653D84D3B4"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "252B812D-A162-41C1-91CD-08D0CBAC5C46"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "421691EA-F55A-4738-8ABD-74B53B6DF155"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5E7FAB59-142E-4191-9A6F-0744D810CD81"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B010F310-05A1-48AE-B002-8F4C7FA62EB3"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4D3B2C32-16D8-415B-A49F-060ECE8F0F33"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "43BE83C2-C756-4A5A-A340-B7D1FB52078D"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DF340605-8CC8-4543-9F5D-E8602D258CED"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "702EBB22-3E9F-4CBE-B855-2E3642C530B1"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7C17AD66-684F-4662-AF16-838FF05F47D5"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "13C25963-CAE7-49AA-A941-254DCE289E35"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B6BF0C2F-DD2B-4864-961F-CA808EF22633"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8FBB21E9-CB73-4CB1-841A-D1C08167DB51"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4CD55F0B-D854-43D4-A0F5-F83386DB24C9"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1097E8DF-3D0E-47C6-882D-E37B22119538"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8C60F121-1C0B-4EB5-87EF-F1BED070C13B"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "04D8514D-CC66-4E6B-90C8-6108F0DAA661"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4BB65A73-7BB7-42E4-97A3-4D6305172E05"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A052DFCA-EDCC-43D7-82C7-E5311F6F7687"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "192A78FB-E141-4F14-8C4A-20A4118B01C9"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CA4FEA42-4240-42B1-A5C2-6F74CBBACB92"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "12B11714-B961-4330-B241-FC5AF94FDBE8"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "37A7C42B-4986-4BB6-BB27-0324A9AA1CFF"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C793834B-64B4-4DE9-BD7D-79B52C30C34E"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7AD455C8-88BE-4A0A-B33D-3A7811FFB753"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "26C475A2-997C-4C3A-8CB6-04AB3534BBC3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}