← back
CVE-2026-34574

Parse Server: Session field immutability bypass via falsy-value guard

CVSS 5.3 MEDIUMEPSS 0.2%CWE-697
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
31 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
parse-community · parse-server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777https://github.com/parse-community/parse-server/pull/10347https://github.com/parse-community/parse-server/pull/10348https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22