SCA: security update for parse-server (GHSA-5hmj-jcgp-6hff)

high Tenable Self-Hosted Container Security Plugin ID 438985

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a
class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields
configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event
payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP
permissions to subscribe to the affected class can receive protected field data of other users, including
sensitive personal information and OAuth tokens from third-party authentication providers. The
vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the
LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON
copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but
the unfiltered JSON copy was sent to clients. The fix in versions 9.6.0-alpha.35 and 8.6.50 ensures that
the JSON copy is assigned back to the response object before filtering, so the filter operates on the
actual data sent to clients. As a workaround, remove all `Parse.Cloud.afterLiveQueryEvent` trigger
registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected
fields are correctly filtered. (CVE-2026-33163)

Solution

Update the parse-server library and its related packages to version 8.6.50 or later.

See Also

https://github.com/advisories/GHSA-5hmj-jcgp-6hff

Plugin Details

Severity: High

ID: 438985

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/19/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-33163

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 4.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2026

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-33163

cwe: CWE-200