Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
Published: 2026-03-10
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Session token exposure leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

Parse Server’s query handling allows an attacker, whether authenticated or not, to obtain the session tokens of any user by passing a specially crafted value for the redirectClassNameForKey query parameter. The attacker can then hijack the victim’s account because the stolen tokens grant full access to that user’s resources.

Affected Systems

The vulnerability affects the open‑source Parse Server from the parse-community project. Versions prior to 9.5.2‑alpha.8 and 8.6.21 are impacted; all later releases contain a patch that removes the flaw.

Risk and Exploitability

The high severity score reflects the potential for full account takeover if successful. Exploitation requires the attacker to write or modify an object that contains a new relation field, which depends on the Class‑Level Permissions of at least one class. The exploitation likelihood is low, estimated at less than one percent, and the vulnerability is not currently part of the CISA KEV catalogue.

Generated by OpenCVE AI on April 16, 2026 at 09:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.2‑alpha.8 or 8.6.21, whichever applies to your deployment. This release removes the vulnerability path.
  • Reconfigure Class‑Level Permissions so that creation or updating of relation fields requires administrative authorization, thereby preventing the attacker’s required condition.
  • Audit and monitor API traffic for the use of redirectClassNameForKey in query strings; immediately block or log any such requests from untrusted sources.

Generated by OpenCVE AI on April 16, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6r2j-cxgf-495f Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
History

Wed, 11 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
Title Parse Server session token exfiltration via `redirectClassNameForKey` query parameter
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 9.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:27:48.323Z

Reserved: 2026-03-07T17:53:48.815Z

Link: CVE-2026-30965

cve-icon Vulnrichment

Updated: 2026-03-11T14:27:41.224Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:48.820

Modified: 2026-03-11T15:31:39.400

Link: CVE-2026-30965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses