Information disclosure in Parse Server - CVE-2026-57481
Published: June 30, 2026
Parse Server
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in LiveQuery enter and leave event handling when processing a save that changes both object field values and the subscriber's ACL read access. A remote user can subscribe to object updates and trigger or receive a crafted state change to disclose sensitive information.
The disclosure is limited to the single object affected by that save and only to the subscriber whose read access changed. Master-key subscribers are not affected.