CVE-2026-39381
Information Disclosure in Parse Server Sessions Endpoint Allows Protected Field Access
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | to 8.6.75 (exc) |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.8.0 (exc) |
| parseplatform | parse-server | 9.8.0 |
| parseplatform | parse-server | 9.8.0 |
| parseplatform | parse-server | 9.8.0 |
| parseplatform | parse-server | 9.8.0 |
| parseplatform | parse-server | 9.8.0 |
| parseplatform | parse-server | 9.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Parse Server's `/sessions/me` endpoint allows authenticated users to retrieve protected session fields that should be hidden according to the server's configuration. This exposure of sensitive session data could lead to unauthorized disclosure of personal or session-related information.
Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect user privacy and ensure data confidentiality.
By allowing protected session fields to be accessed improperly, the vulnerability could result in violations of these standards' requirements for data minimization, access control, and confidentiality, potentially leading to regulatory penalties or increased risk of data breaches.
The fix implemented in versions 8.6.75 and 9.8.0-alpha.7 ensures that protected fields are properly sanitized and access is controlled according to the caller's privileges, helping to restore compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-39381 is a vulnerability in the Parse Server's `/sessions/me` endpoint where it bypasses the `_Session` class's protectedFields security mechanism. This flaw allows any authenticated user to retrieve their own session's protected fields, which are supposed to be hidden, with a single GET request. The issue arises because the endpoint does not re-fetch the session using the caller's authentication context after validating the session token, causing protected fields to be exposed improperly.
The vulnerability is an Insecure Direct Object Reference (IDOR) that leads to unauthorized disclosure of sensitive session data such as the `createdWith` field. The fix involves a two-step session lookup process: first using a master-key context to verify the session and user, then re-fetching the session with the caller's actual authentication context to enforce protectedFields and Class-Level Permissions (CLP) properly.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to access protected session fields that should normally be hidden. Although the impact is limited to the exposure of certain sensitive session data, it can lead to unauthorized disclosure of information related to the user's session.
The CVSS v4 base score is 5.3 (Moderate), indicating a moderate severity. The attack can be performed remotely over the network with low complexity and requires only low privileges (an authenticated user). There is no impact on system integrity or availability, but confidentiality is affected due to exposure of protected session fields.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the `/sessions/me` endpoint in Parse Server improperly exposing protected session fields to authenticated users. To detect this vulnerability on your system, you can test whether the GET request to `/sessions/me` returns protected session fields that should be hidden.
A practical approach is to perform an authenticated GET request to the `/sessions/me` endpoint and inspect the response for any protected fields such as `_Session.createdWith` or other fields configured as protected via the `protectedFields` server option.
Example command using curl (replace <SESSION_TOKEN> with a valid session token):
- curl -H "X-Parse-Session-Token: <SESSION_TOKEN>" https://your-parse-server-url/sessions/me
If the response includes fields that are supposed to be protected, the system is vulnerable. In contrast, the `/sessions` and `/sessions/:objectId` endpoints should not return these protected fields when queried similarly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade your Parse Server deployment to a fixed version where this vulnerability is addressed.
- Upgrade to Parse Server version 9.8.0-alpha.7 or later if you are using the 9.x branch.
- Alternatively, upgrade to version 8.6.75 or later if you are using the 8.x LTS branch.
These versions include a fix that enforces proper authorization checks and respects the `protectedFields` configuration on the `/sessions/me` endpoint, preventing exposure of protected session data.
No workarounds are available, so upgrading is the recommended immediate action.