Incorrect authorization in Parse Server - CVE-2026-30947
Published: April 6, 2026
Parse Server
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in LiveQuery subscriptions when handling subscription requests and event delivery. A remote attacker can subscribe to a LiveQuery-enabled class without authorization checks to disclose sensitive information.
Data restricted by class-level permissions can be leaked to unauthorized subscribers in real time.