CVE-2026-30965
Received Received - Intake
Session Token Exfiltration via Query Parameter in Parse Server

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30965
EUVD
EUVD-2026-10880
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Parse Server to version 9.5.2-alpha.8 or later, or 8.6.21 or later, where the issue has been fixed.

Additionally, review and restrict Class-Level Permissions to limit the ability of attackers to create or update objects with new relation fields, as this is required to exploit the vulnerability.


Can you explain this vulnerability to me?

This vulnerability exists in Parse Server's query handling before versions 9.5.2-alpha.8 and 8.6.21. It allows an attacker, whether authenticated or not, to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter.

To exploit this vulnerability, the attacker must be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class.

Exfiltrated session tokens can then be used to take over user accounts.

This vulnerability has been fixed in Parse Server versions 9.5.2-alpha.8 and 8.6.21.


How can this vulnerability impact me? :

The vulnerability can lead to the exfiltration of session tokens belonging to other users.

With these stolen session tokens, an attacker can take over user accounts, potentially gaining unauthorized access to sensitive user data and functionality.

This can result in compromised user privacy, unauthorized actions performed on behalf of users, and overall security breaches within the affected Parse Server deployment.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart