Parse Server session creation endpoint allows overwriting server-generated session fields
- Severity:
- Medium
Description
An authenticated user can overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session object via POST /classes/_Session. This allows bypassing the server’s session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.42 >= 9.0.0, < 9.6.0-alpha.17** Patched version(s): **8.6.42 9.6.0-alpha.17**
References
Related Issues
- Parse Server's Session Update endpoint allows overwriting server-generated session fields - CVE-2026-33527
- parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user - CVE-2026-30229
- Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter - CVE-2026-30965
- Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 19, 2026