CVE-2026-34574
Parse Server: Session field immutability bypass via falsy-value guard
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
14th
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
| CWE | CWE-697 |
| Vendor | parse-community |
| Product | parse-server |
| Published | Mar 31, 2026 |
| Last Updated | Apr 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for parse-community parse-server
Be the first to know when new unknown vulnerabilities affecting parse-community parse-server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
parse-community / parse-server
< 8.6.69 >= 9.0.0, < 9.7.0-alpha.14
References
github.com: https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22 github.com: https://github.com/parse-community/parse-server/pull/10347 github.com: https://github.com/parse-community/parse-server/pull/10348 github.com: https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21 github.com: https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777