CVE-2026-32742
Session Field Overwrite in Parse Server Enables Session Expiration Bypass
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | to 8.6.42 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Parse Server versions prior to 9.6.0-alpha.17 and 8.6.42. An authenticated user can overwrite server-generated session fields such as sessionToken, expiresAt, and createdWith when creating a session object via the POST /classes/_Session endpoint.
By overwriting these fields, the user can bypass the server's session expiration policy by setting an arbitrary far-future expiration date and can also set a predictable session token value.
Starting from versions 9.6.0-alpha.17 and 8.6.42, the server filters out these server-generated fields from user-supplied data to prevent overwriting. A workaround for vulnerable versions is to add a beforeSave trigger on the _Session class to validate and reject or strip any user-supplied values for these fields.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to bypass session expiration controls by setting a session to expire at a far-future date, effectively extending their session indefinitely.
It also allows the user to set predictable session token values, which can increase the risk of session hijacking or unauthorized access.
Overall, this can lead to unauthorized prolonged access to the system without re-authentication, potentially compromising the security of the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Parse Server to version 9.6.0-alpha.17 or 8.6.42 or later, where the session creation endpoint filters out server-generated fields from user-supplied data, preventing overwriting.
As a workaround if upgrading is not immediately possible, add a beforeSave trigger on the _Session class to validate and reject or strip any user-supplied values for sessionToken, expiresAt, and createdWith.