MEDIUM 4.3 npm
Parse Server's Session Update endpoint allows overwriting server-generated session fields
GHSA-jc39-686j-wp6q · BIT-parse-2026-33527 · CVE-2026-33527
Published · Modified
Description
Impact
An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent.
Patches
The fix blocks authenticated users from setting expiresAt and createdWith fields when updating a session. Master key and maintenance key operations are not affected.
Workarounds
There is no known workaround other than upgrading.
Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33527
- WEB https://github.com/parse-community/parse-server/pull/10263
- WEB https://github.com/parse-community/parse-server/pull/10264
- WEB https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73
- WEB https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes