Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Description

The GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session’s protected fields with a single request.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 7.0.0, < 8.6.75

  >= 9.0.0, < 9.8.0-alpha.7**

• Patched version(s): **8.6.75

  9.8.0-alpha.7**

References

• GHSA-g4v2-qx3q-4p64
• CVE-2026-39381
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
• Parse Server's Session Update endpoint allows overwriting server-generated session fields - CVE-2026-33527
• Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
• Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization - CVE-2026-30850

You might also like:

Exploiting Server Version Disclosure

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

parse-server