PatchSiren cyber security CVE debrief
CVE-2026-57481 parse-community CVE debrief
A LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83. The vulnerability affects Parse Server prior to 9.9.1-alpha.13 and 8.6.83, and users of Parse Server who utilize LiveQuery and have concerns about data access control should take action.
- Vendor
- parse-community
- Product
- parse-server
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of Parse Server who utilize LiveQuery and have concerns about data access control should review and apply updates to Parse Server to version 9.9.1-alpha.13 or 8.6.83. They should also verify LiveQuery configurations and subscriber access controls, and monitor for unusual data access patterns.
Technical summary
In Parse Server prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read. This occurred when a single save operation modified both an object field and the subscriber's ACL read access. The issue arose from incorrect object state inclusion in leave and enter events. The vulnerability has been fixed in versions 9.9.1-alpha.13 and 8.6.83.
Defensive priority
Low priority, as CVSS score is 2.3.
Recommended defensive actions
- Review and apply updates to Parse Server to version 9.9.1-alpha.13 or 8.6.83.
- Verify LiveQuery configurations and subscriber access controls.
- Monitor for unusual data access patterns.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
Evidence is based on official CVE and NVD records, as well as source references from [email protected]. The CVE record was published on 2026-07-08T21:16:51.043Z and has not been modified since. A LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83. Users of Parse Server who utilize LiveQuery and have concerns about data access control should review and apply updates to Parse Server to version 9.9.1-alpha.13 or 8.6.83.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:51.043Z and has not been modified since.