Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Infinite session validity enabling unauthorized persistence
Action: Immediate Patch
AI Analysis

Impact

Parse Server allows an authenticated user to send a PUT request to the session update endpoint with a null value, bypassing the immutability guard on session fields such as expiresAt and createdWith. This flaw, identified as a conditional logic error (CWE‑697), allows the session to never expire, effectively granting the attacker an indefinitely valid session. The impact is the potential for continued unauthorized access and privilege persistence within the application.

Affected Systems

The affected vendor is parse-community for the Parse Server product. Prior to version 8.6.69 and 9.7.0‑alpha.14, all releases of Parse Server are vulnerable, including the numerous alpha releases listed in the CPE entries: 9.7.0‑alpha.1 through 9.7.0‑alpha.13 as well as the default asterisk wildcard for any version of parse-server running on Node.js.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. The EPSS score of less than 1% means the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw remotely by authenticating and performing a controlled PUT request to the session update endpoint, which is the most direct attack vector. Due to the low exploitation probability and lack of public exploits, the threat is primarily a potential for long‑term unauthorized persistence rather than an immediate widespread attack.

Generated by OpenCVE AI on April 2, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.69 or later, or 9.7.0‑alpha.14 or later, to apply the immutability guard fix.
  • Verify the deployment by ensuring that attempts to set session fields to null are rejected and that session expiry follows the configured policy.
  • If an upgrade cannot be performed immediately, consider limiting client access to the session update endpoint or implement server‑side validation to reject null values until the platform is updated.

Generated by OpenCVE AI on April 2, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f6j3-w9v3-cq22 Parse Server has a session field immutability bypass via falsy-value guard
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
Title Parse Server: Session field immutability bypass via falsy-value guard
Weaknesses CWE-697
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T17:57:27.398Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34574

cve-icon Vulnrichment

Updated: 2026-04-01T17:57:21.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:33.923

Modified: 2026-04-02T17:23:16.757

Link: CVE-2026-34574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:25Z

Weaknesses