PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57481 parse-community CVE debrief

A LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83. The vulnerability affects Parse Server prior to 9.9.1-alpha.13 and 8.6.83, and users of Parse Server who utilize LiveQuery and have concerns about data access control should take action.

Vendor
parse-community
Product
parse-server
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of Parse Server who utilize LiveQuery and have concerns about data access control should review and apply updates to Parse Server to version 9.9.1-alpha.13 or 8.6.83. They should also verify LiveQuery configurations and subscriber access controls, and monitor for unusual data access patterns.

Technical summary

In Parse Server prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read. This occurred when a single save operation modified both an object field and the subscriber's ACL read access. The issue arose from incorrect object state inclusion in leave and enter events. The vulnerability has been fixed in versions 9.9.1-alpha.13 and 8.6.83.

Defensive priority

Low priority, as CVSS score is 2.3.

Recommended defensive actions

  • Review and apply updates to Parse Server to version 9.9.1-alpha.13 or 8.6.83.
  • Verify LiveQuery configurations and subscriber access controls.
  • Monitor for unusual data access patterns.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

Evidence is based on official CVE and NVD records, as well as source references from [email protected]. The CVE record was published on 2026-07-08T21:16:51.043Z and has not been modified since. A LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber's ACL read access, because leave and enter events included the wrong object state. This issue is fixed in versions 9.9.1-alpha.13 and 8.6.83. Users of Parse Server who utilize LiveQuery and have concerns about data access control should review and apply updates to Parse Server to version 9.9.1-alpha.13 or 8.6.83.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:51.043Z and has not been modified since.