4 matches found
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...
EUVD-2026-19917
Parse Server's Endpoint /sessions/me bypasses Session protectedFields...
GHSA-G4V2-QX3Q-4P64 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Impact The GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET...
CVE-2026-39381
Parse Server (open-source Node.js backend) has a vulnerability in the GET /sessions/me endpoint where protected _Session fields configured via protectedFields are exposed to any authenticated user. The issue occurs prior to versions 9.8.0-alpha.7 and 8.6.75; the equivalent GET /sessions and GET /...