Parse Server: Session field immutability bypass via falsy-value guard

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.

Basic Information

ID CVE-2026-34574

Source GitHub_M

Published Mar 31, 2026 at 15:08

Modified Apr 1, 2026 at 17:57

Affected Product

Vendor parse-community

Product parse-server

Version < 8.6.69

Affected Versions parse-community parse-server < 8.6.69
parse-community parse-server >= 9.0.0, < 9.7.0-alpha.14

CWE Classification

CWE-697

References

{
    "lastseen": "",
    "description": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.",
    "published": "2026-03-31T15:08:31.013Z",
    "modified": "2026-04-01T17:57:27.398Z",
    "type": "cve",
    "title": "Parse Server: Session field immutability bypass via falsy-value guard",
    "source": "GitHub_M",
    "references": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22\nhttps://github.com/parse-community/parse-server/pull/10347\nhttps://github.com/parse-community/parse-server/pull/10348\nhttps://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21\nhttps://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777",
    "id": "CVE-2026-34574",
    "bulletinFamily": "",
    "cwe": [
        "CWE-697"
    ],
    "cvelist": null,
    "sourceData": "parse-community parse-server < 8.6.69\nparse-community parse-server >= 9.0.0, < 9.7.0-alpha.14",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "parse-server",
    "version": "< 8.6.69",
    "vendor": "parse-community",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Parse Server: Session field immutability bypass via falsy-value guard_CVE-2026-34574