Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Indefinite session validity enabling unauthorized continued access
Action: Patch Immediately
AI Analysis

Impact

The vulnerability permits an authenticated user to ignore the immutability guard on session fields by sending a null value in a PUT request to the session update endpoint. This nullifies the expiresAt and createdWith fields, effectively removing the session timeout and allowing the session to remain valid indefinitely. The weakness is a logical comparison error that bypasses expected safeguards and can result in prolonged unauthorized access.

Affected Systems

The flaw affects the open‑source Parse Server from parse-community. Any deployment running a version earlier than 8.6.69 or 9.7.0‑alpha.14 is vulnerable. The product is the Parse Server backend that can run on any Node.js‑capable infrastructure.

Risk and Exploitability

The CVSS base score of 5.3 reflects a medium severity. No EPSS score is currently reported and the vulnerability is not listed in the CISA KEV catalog, indicating a lower likelihood of widespread exploitation. However, the attack requires an authenticated user with permission to update session data, which is common in many applications. Because the vulnerability allows an attacker to keep a session alive indefinitely, it can facilitate sustained, undetected abuse and data exfiltration for as long as the session remains active.

Generated by OpenCVE AI on March 31, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Parse Server to version 8.6.69 or later, or 9.7.0-alpha.14 or later.
  • If immediate upgrade is not possible, revoke all existing user sessions and require re‑authentication to enforce new session lifetimes.
  • Verify that session token rotation and expiration policies are enforced after applying the patch.
  • Monitor authentication logs for abnormal session durations as an additional monitoring measure.

Generated by OpenCVE AI on March 31, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f6j3-w9v3-cq22 Parse Server has a session field immutability bypass via falsy-value guard
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
Title Parse Server: Session field immutability bypass via falsy-value guard
Weaknesses CWE-697
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T17:57:27.398Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34574

cve-icon Vulnrichment

Updated: 2026-04-01T17:57:21.444Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-31T16:16:33.923

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-34574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:10Z

Weaknesses