Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Session Data Exposure
Action: Apply Patch
AI Analysis

Impact

Parse Server, an open-source backend for Node.js, contains an endpoint that returns session information. The /sessions/me route improperly exposes fields that the server operator has marked as protected, allowing any authenticated user to retrieve sensitive data they should not see. This flaw can lead to disclosure of confidential session details and compromise the integrity of the session data, but does not allow a user to access other users’ sessions.

Affected Systems

The vulnerability exists in the parse-community:parse-server product, affecting all installations running versions before 9.8.0-alpha.7 and 8.6.75. Updating to those releases or later eliminates the issue.

Risk and Exploitability

With a CVSS score of 5.3 the flaw is considered moderate in severity. An attacker only needs to be authenticated against the application to exploit it, and no remote code execution or denial of service is possible. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting the threat of widespread exploitation is limited at present. The remedy is straightforward: upgrade to the fixed versions.

Generated by OpenCVE AI on April 7, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.8.0-alpha.7 or 8.6.75 or newer
  • Verify that the /sessions/me endpoint no longer returns protected fields
  • Review and enforce protectedFields configuration in deployment
  • Monitor authenticated session activity for unusual data exposure

Generated by OpenCVE AI on April 7, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g4v2-qx3q-4p64 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha6:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
Title Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T20:23:31.190Z

Reserved: 2026-04-06T22:06:40.515Z

Link: CVE-2026-39381

cve-icon Vulnrichment

Updated: 2026-04-07T20:23:28.592Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:32.790

Modified: 2026-04-15T15:57:20.193

Link: CVE-2026-39381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:02Z

Weaknesses