CVE-2026-30947
Published: 10 March 2026
Summary
CVE-2026-30947 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authorization bypass in a public-facing Parse Server application (LiveQuery CLP enforcement failure), directly enabling remote exploitation for unauthorized data access per T1190.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to…
more
any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
Deeper analysisAI
CVE-2026-30947 is a vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions, corresponding to CWE-863 (Incorrect Authorization). This flaw affects all Parse Server deployments that enable LiveQuery alongside CLP, allowing real-time data events to bypass intended access controls.
An unauthenticated or unauthorized remote attacker can exploit this by subscribing to any LiveQuery-enabled class, receiving real-time events for all objects regardless of CLP restrictions. This results in unauthorized disclosure of sensitive data intended to be restricted, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact over the network with low complexity.
Mitigation is available via upgrades to Parse Server 9.5.2-alpha.3 or 8.6.16, which enforce CLP on LiveQuery subscriptions. The Parse community advisories detail the fix: https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289, with release notes at https://github.com/parse-community/parse-server/releases/tag/8.6.16 and https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3.
Details
- CWE(s)