
PEACH
Un cadre d’isolation des locataires
CVE-2026-57481 is an information disclosure vulnerability in Parse Server's LiveQuery feature, tracked as GHSA-97pr-9hgg-3p8r. It allows an authenticated LiveQuery subscriber to receive object field values they are not authorized to read when a single save operation simultaneously changes both object field data and the subscriber's ACL read access. Affected versions include parse-server >= 9.0.0 and < 9.9.1-alpha.13, as well as all versions <= 8.6.82 in the v8 branch. The vulnerability was published and patched on June 19, 2026, by maintainer mtrezza. It carries a CVSS v4 base score of 2.3 (Low) (GitHub Advisory).
The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in ParseLiveQueryServer._onAfterSave in src/LiveQuery/ParseLiveQueryServer.ts, which failed to verify the subscriber's ACL read authorization for the specific object state included in LiveQuery leave and enter events. When a save removes a subscriber's read access, the resulting leave event incorrectly carried the post-update object body (data the subscriber is no longer permitted to see); symmetrically, when a save grants read access, the enter event included the pre-grant object state (data the subscriber was never authorized to read). Exploitation requires the attacker to already be an authenticated subscriber (low privileges) and depends on the specific deployment condition where content and ACL changes are combined in a single save on a LiveQuery-enabled class. Master-key subscribers and normal query-mismatch leave/enter events are unaffected (GitHub Advisory, PR #10515).
The impact is limited to confidentiality — there is no integrity or availability impact. A subscriber can receive unauthorized object field values, but only for the single object involved in the combined ACL+content save, and only the subscriber whose access changed is affected. There is no potential for lateral movement, remote code execution, or broader data exfiltration beyond the disclosed object state in that specific event (GitHub Advisory).
new Parse.Query('SensitiveClass')).leave event (if ACL was revoked) or enter event (if ACL was granted) delivered over the WebSocket. The event payload will contain object field values the subscriber is not authorized to read — either the post-revocation state (leave) or the pre-grant state (enter) (GitHub Advisory, PR #10515).Upgrade parse-server to version 9.9.1-alpha.13 (for v9 users) or 8.6.83 (for v8/LTS users), both released on June 19, 2026. The fix adds ACL-read authorization checks in _onAfterSave so that leave events deliver only the last authorized object state and enter events omit the pre-grant snapshot. As a workaround, avoid combining object field changes and ACL changes in the same save on LiveQuery-enabled classes — perform the ACL change in a separate save before or after the content change. Alternatively, restrict which classes are enabled for LiveQuery to reduce exposure (GitHub Advisory, PR #10516).
The vulnerability was reported and coordinated by parse-community maintainer mtrezza, who also authored both fix pull requests. No notable external researcher commentary, media coverage, or significant community discussion beyond the GitHub advisory and pull request threads has been identified at this time (GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."