Parse Server session creation endpoint allows overwriting server-generated session fields

GHSA-5v7g-9h8f-8pgg · BIT-parse-2026-32742 · CVE-2026-32742

Published Mar 17, 2026 · Modified Mar 20, 2026

Description

Impact

An authenticated user can overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session object via POST /classes/_Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.

Patches

The session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten.

Workarounds

Add a beforeSave trigger on the _Session class to validate and reject or strip any user-supplied values for sessionToken, expiresAt, and createdWith.

References

WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32742
WEB https://github.com/parse-community/parse-server/pull/10195
WEB https://github.com/parse-community/parse-server/pull/10196
PACKAGE https://github.com/parse-community/parse-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes