Parse Server's Session Update endpoint allows overwriting server-generated session fields

Description

An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server’s configured session lifetime policy, making a session effectively permanent.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.57

  >= 9.0.0, < 9.6.0-alpha.48**

• Patched version(s): **8.6.57

  9.6.0-alpha.48**

References

• GHSA-jc39-686j-wp6q
• CVE-2026-33527
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
• parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user - CVE-2026-30229
• Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` - CVE-2026-39381
• Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872

You might also like:

Update Cheat Sheet for Developers

Exploiting Server Version Disclosure

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

parse-server