Cyber Resilience

CVE-2026-30947

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30947 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30947 is a vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions, corresponding to CWE-863 (Incorrect Authorization). This flaw affects all Parse Server deployments that enable LiveQuery alongside CLP, allowing real-time data events to bypass intended access controls.

An unauthenticated or unauthorized remote attacker can exploit this by subscribing to any LiveQuery-enabled class, receiving real-time events for all objects regardless of CLP restrictions. This results in unauthorized disclosure of sensitive data intended to be restricted, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact over the network with low complexity.

Mitigation is available via upgrades to Parse Server 9.5.2-alpha.3 or 8.6.16, which enforce CLP on LiveQuery subscriptions. The Parse community advisories detail the fix: https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289, with release notes at https://github.com/parse-community/parse-server/releases/tag/8.6.16 and https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to…

more

any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an authorization bypass in a public-facing Parse Server application (LiveQuery CLP enforcement failure), directly enabling remote exploitation for unauthorized data access per T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34532Same product: Parseplatform Parse-Server
CVE-2026-30965Same product: Parseplatform Parse-Server
CVE-2026-29182Same product: Parseplatform Parse-Server
CVE-2026-30967Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-31871Same product: Parseplatform Parse-Server
CVE-2026-30229Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-30863Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.5.2 · ≤ 8.6.16 · 9.0.0 — 9.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for all access paths including LiveQuery subscriptions, directly preventing unauthorized real-time disclosure of CLP-restricted data.

prevent

Mandates timely identification, reporting, and correction of flaws like the CLP enforcement failure in Parse Server LiveQuery via patching to fixed versions.

prevent

Employs least privilege to restrict LiveQuery subscriptions to only necessary authorized users, mitigating the scope of authorization bypasses.

References