Parse Server has a session field immutability bypass via falsy-value guard

Description

An authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.69

  >= 9.0.0, < 9.7.0-alpha.14**

• Patched version(s): **8.6.69

  9.7.0-alpha.14**

References

• GHSA-f6j3-w9v3-cq22
• CVE-2026-34574
• CWE-697
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
• Parse Server has an MFA single-use token bypass via concurrent authData login requests - CVE-2026-34224
• parse-server has cloud function validator bypass via prototype chain traversal - CVE-2026-34532
• Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause - CVE-2026-32098

You might also like:

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

parse-server