11 matches found
CVE-2026-34574
Parse Server vulnerability CVE-2026-34574 affects Parse Server prior to 8.6.69 and 9.7.0-alpha.14. An authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT to the session update endpoint, effectively nullifying session exp...
GHSA-JC39-686J-WP6Q Parse Server's Session Update endpoint allows overwriting server-generated session fields
Impact An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. Patches The fix blocks...
Parse Server's Session Update endpoint allows overwriting server-generated session fields
Impact An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. Patches The fix blocks...
Incorrect Authorization
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via session fields such as expiresAt and createdWith. An authenticated user can modify...
BIT-PARSE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. Thi...
CVE-2026-32742
CVE-2026-32742 affects Parse Server. Before versions 9.6.0-alpha.17 and 8.6.42, an authenticated user could overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session via POST /classes/_Session, potentially bypassing session expiration and predicting ...
CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST...
CVE-2026-32742
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the POST /classes/Session endpoint. An...
Parse Server session creation endpoint allows overwriting server-generated session fields
Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...
PT-2026-25982
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/...