CVE-2026-32742

🗓️ 18 Mar 2026 21:33:09Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 20 Views🌐 WEB

CVE-2026-32742: Authenticated users could overwrite session fields via POST /classes/_Session before fixes.

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2026-32742	18 Mar 202621:33	–	attackerkb
CNNVD	Parse Server 安全漏洞	18 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields	18 Mar 202621:33	–	cvelist
Github Security Blog	Parse Server session creation endpoint allows overwriting server-generated session fields	17 Mar 202618:37	–	github
NVD	CVE-2026-32742	18 Mar 202622:16	–	nvd
OSV	BIT-PARSE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields	20 Mar 202611:37	–	osv
OSV	CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields	18 Mar 202621:33	–	osv
OSV	GHSA-5V7G-9H8F-8PGG Parse Server session creation endpoint allows overwriting server-generated session fields	17 Mar 202618:37	–	osv
Positive Technologies	PT-2026-25982	17 Mar 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-32742	26 Mar 202615:10	–	redhatcve

NVD

Vulners

Node

parseplatform parse-serverRange<8.6.42node.js

parseplatform parse-serverRange9.0.0–9.6.0node.js

parseplatform parse-serverMatch9.6.0alpha1node.js

parseplatform parse-serverMatch9.6.0alpha10node.js

parseplatform parse-serverMatch9.6.0alpha11node.js

parseplatform parse-serverMatch9.6.0alpha12node.js

parseplatform parse-serverMatch9.6.0alpha13node.js

parseplatform parse-serverMatch9.6.0alpha14node.js

parseplatform parse-serverMatch9.6.0alpha15node.js

parseplatform parse-serverMatch9.6.0alpha16node.js

parseplatform parse-serverMatch9.6.0alpha3node.js

parseplatform parse-serverMatch9.6.0alpha4node.js

parseplatform parse-serverMatch9.6.0alpha5node.js

parseplatform parse-serverMatch9.6.0alpha6node.js

parseplatform parse-serverMatch9.6.0alpha7node.js

parseplatform parse-serverMatch9.6.0alpha8node.js

parseplatform parse-serverMatch9.6.0alpha9node.js

[
  {
    "vendor": "parse-community",
    "product": "parse-server",
    "versions": [
      {
        "version": ">= 9.0.0, < 9.6.0-alpha.17",
        "status": "affected"
      },
      {
        "version": "< 8.6.42",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg
github	www.github.com/parse-community/parse-server/pull/10196
github	www.github.com/parse-community/parse-server/pull/10195

Parameter	Position	Path	Description	CWE
sessionToken	request body	/classes/_Session	Authenticated user could overwrite server-generated _Session fields by supplying them in POST /classes/_Session to bypass expiration and predict session tokens (vulnerable prior to patches).	CWE-915
expiresAt	request body	/classes/_Session	Authenticated user could overwrite server-generated _Session fields by supplying them in POST /classes/_Session to bypass expiration and predict session tokens (vulnerable prior to patches).	CWE-915
createdWith	request body	/classes/_Session	Authenticated user could overwrite server-generated _Session fields by supplying them in POST /classes/_Session to bypass expiration and predict session tokens (vulnerable prior to patches).	CWE-915

17 Jun 2026 10:36Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.14.3

EPSS0.00306

SSVC

CWE-915