CVE-2026-39381
Received Received - Intake
Information Disclosure in Parse Server Sessions Endpoint Allows Protected Field Access

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39381
EUVD
EUVD-2026-19917
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
parseplatform parse-server to 8.6.75 (exc)
parseplatform parse-server From 9.0.0 (inc) to 9.8.0 (exc)
parseplatform parse-server 9.8.0
parseplatform parse-server 9.8.0
parseplatform parse-server 9.8.0
parseplatform parse-server 9.8.0
parseplatform parse-server 9.8.0
parseplatform parse-server 9.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39381 is a vulnerability in the Parse Server's `/sessions/me` endpoint where it bypasses the `_Session` class's protectedFields security mechanism. This flaw allows any authenticated user to retrieve their own session's protected fields, which are supposed to be hidden, with a single GET request. The issue arises because the endpoint does not re-fetch the session using the caller's authentication context after validating the session token, causing protected fields to be exposed improperly.

The vulnerability is an Insecure Direct Object Reference (IDOR) that leads to unauthorized disclosure of sensitive session data such as the `createdWith` field. The fix involves a two-step session lookup process: first using a master-key context to verify the session and user, then re-fetching the session with the caller's actual authentication context to enforce protectedFields and Class-Level Permissions (CLP) properly.

Impact Analysis

This vulnerability allows any authenticated user to access protected session fields that should normally be hidden. Although the impact is limited to the exposure of certain sensitive session data, it can lead to unauthorized disclosure of information related to the user's session.

The CVSS v4 base score is 5.3 (Moderate), indicating a moderate severity. The attack can be performed remotely over the network with low complexity and requires only low privileges (an authenticated user). There is no impact on system integrity or availability, but confidentiality is affected due to exposure of protected session fields.

Detection Guidance

This vulnerability involves the `/sessions/me` endpoint in Parse Server improperly exposing protected session fields to authenticated users. To detect this vulnerability on your system, you can test whether the GET request to `/sessions/me` returns protected session fields that should be hidden.

A practical approach is to perform an authenticated GET request to the `/sessions/me` endpoint and inspect the response for any protected fields such as `_Session.createdWith` or other fields configured as protected via the `protectedFields` server option.

Example command using curl (replace <SESSION_TOKEN> with a valid session token):

  • curl -H "X-Parse-Session-Token: <SESSION_TOKEN>" https://your-parse-server-url/sessions/me

If the response includes fields that are supposed to be protected, the system is vulnerable. In contrast, the `/sessions` and `/sessions/:objectId` endpoints should not return these protected fields when queried similarly.

Mitigation Strategies

The primary mitigation step is to upgrade your Parse Server deployment to a fixed version where this vulnerability is addressed.

  • Upgrade to Parse Server version 9.8.0-alpha.7 or later if you are using the 9.x branch.
  • Alternatively, upgrade to version 8.6.75 or later if you are using the 8.x LTS branch.

These versions include a fix that enforces proper authorization checks and respects the `protectedFields` configuration on the `/sessions/me` endpoint, preventing exposure of protected session data.

No workarounds are available, so upgrading is the recommended immediate action.

Compliance Impact

The vulnerability in the Parse Server's `/sessions/me` endpoint allows authenticated users to retrieve protected session fields that should be hidden according to the server's configuration. This exposure of sensitive session data could lead to unauthorized disclosure of personal or session-related information.

Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect user privacy and ensure data confidentiality.

By allowing protected session fields to be accessed improperly, the vulnerability could result in violations of these standards' requirements for data minimization, access control, and confidentiality, potentially leading to regulatory penalties or increased risk of data breaches.

The fix implemented in versions 8.6.75 and 9.8.0-alpha.7 ensures that protected fields are properly sanitized and access is controlled according to the caller's privileges, helping to restore compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39381. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart