Auth bypass in Parse-community Parse-server

CVE-2026-33421

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP)…

Vulnerability class: Broken Access Control

EPSS: 0.000 (1.8th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.53, >= 9.0.0, < 9.6.0-alpha.42

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576 (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10250 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10252 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee (x_refsource_MISC)