Executive Summary

CVE-2026-34574 is a security vulnerability in Parse Server that allows an authenticated user to bypass the immutability protections on certain critical session fields such as expiresAt and createdWith. This is possible because the server improperly handles falsy values like null in session update requests. By sending a null value in a PUT request to the session update endpoint, an attacker can nullify the session expiry, effectively making the session valid indefinitely and bypassing configured session length policies.

The root cause is a flawed truthiness-based guard that fails to reject falsy values, allowing attackers to circumvent immutability checks. The vulnerability affects multiple session fields including expiresAt, createdWith, installationId, and sessionToken.

The issue has been fixed by replacing truthiness checks with explicit key-presence checks that reject any attempt to set these protected fields to null or other falsy values, thereby enforcing immutability as intended.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with authenticated access to manipulate session data in a way that bypasses session expiration controls.

• An attacker can nullify the session expiry, making the session valid indefinitely.
• This bypasses any configured session length policies, potentially allowing unauthorized prolonged access.
• Attackers could also manipulate other protected session fields such as installationId and sessionToken, which could lead to session hijacking or privilege escalation.

Overall, the vulnerability compromises session integrity and security, increasing the risk of unauthorized access and abuse of user sessions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authenticated user sending a PUT request to the session update endpoint with null values for protected session fields such as expiresAt, createdWith, installationId, or sessionToken. Detection involves monitoring for such suspicious PUT requests attempting to modify these immutable session fields.

You can detect potential exploitation attempts by inspecting HTTP PUT requests to the /sessions/:objectId endpoint for payloads containing null or falsy values in these protected fields.

Example commands to detect such attempts might include using network traffic inspection tools or logs filtering for PUT requests with these fields set to null.

• Using grep on server logs to find PUT requests with null values in protected fields: grep -i 'PUT /sessions/' /path/to/logfile | grep -E '"expiresAt":null|"createdWith":null|"installationId":null|"sessionToken":null'
• Using a network packet capture tool like tcpdump or Wireshark to filter HTTP PUT requests to /sessions/ and inspect JSON payloads for null values in protected fields.
• Implement application-level logging or monitoring to alert on PUT requests attempting to update expiresAt, createdWith, installationId, or sessionToken fields with null or falsy values.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Parse Server to a patched version where this vulnerability is fixed: version 8.6.69 or later, or 9.7.0-alpha.14 or later.

If immediate upgrade is not possible, a possible workaround is to implement a beforeSave trigger on the _Session class that rejects any updates attempting to set expiresAt, createdWith, installationId, or sessionToken fields to null or other falsy values.

Additionally, monitor and restrict authenticated user access to session update endpoints to reduce the risk of exploitation.

• Upgrade Parse Server to version 8.6.69, 9.7.0-alpha.14, or later where the fix is applied.
• Implement a beforeSave trigger on the _Session class to reject null or falsy values for protected session fields.
• Monitor logs and network traffic for suspicious PUT requests attempting to modify protected session fields.
• Restrict or audit authenticated user permissions related to session updates.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user to bypass immutability protections on session fields such as expiresAt, enabling sessions to be valid indefinitely by nullifying session expiry. This can lead to unauthorized session persistence and potential privilege escalation.

Such unauthorized session manipulation could undermine security controls designed to limit session duration and access, which are important for compliance with standards like GDPR and HIPAA that require strict access control and session management to protect personal and sensitive data.

By allowing indefinite session validity, the vulnerability increases the risk of unauthorized access to protected data, potentially violating regulatory requirements for session expiration and user authentication controls.

The patch fixes this issue by enforcing strict validation to prevent null or falsy values from bypassing session field immutability, thereby helping maintain compliance with session management policies required by such standards.

Useful 0 Not Useful 0