Parse Server, Improper Access Control, CVE-2026-XXXXX (Moderate)

Listen to this Post

Parse Server fails to sanitize user input during session creation via the `POST /classes/_Session` endpoint. An authenticated attacker can supply values for server-generated fields like sessionToken, expiresAt, and createdWith. The server does not filter these out, allowing the attacker to overwrite them. By setting a custom `expiresAt` value, a user can bypass the server’s configured session expiration policy and create a session that never expires. By setting a predictable sessionToken, they undermine the security of the authentication system. The vulnerability exists because the endpoint does not distinguish between user-supplied data and server-reserved fields. The patch introduces filtering to strip these server-generated fields from incoming data. This ensures that only the server can set or modify these critical session properties .
Platform: Parse Server
Version: <8.6.42, >=9.0.0<9.6.0-alpha.17
Vulnerability: Session Field Overwrite
Severity: Moderate
Date: March 18, 2026

Prediction: Patches already available

What Undercode Say:

Analytics:

This vulnerability highlights a recurring class of issues in Parse Server related to insufficient input sanitization on internal classes like _Session. Previous CVEs (CVE-2021-39138, CVE-2022-39225) have also targeted the `_Session` class, indicating it is a critical area for security review . The ability to set a predictable `sessionToken` could be chained with other vulnerabilities, such as object ID guessing (CVE-2022-39225), to take over user accounts . The disclosure and patch release were handled quickly, with patches available the same day the advisory was published.

How Exploit:

To exploit this, an attacker would send a POST request to the `/classes/_Session` endpoint with a forged payload.

Example curl command to exploit the vulnerability
curl -X POST https://your-parse-server.com/classes/_Session \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "X-Parse-Session-Token: VALID_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"user": {
"__type": "Pointer",
"className": "_User",
"objectId": "TARGET_USER_ID"
},
"sessionToken": "PREDICTABLE_TOKEN_123",
"expiresAt": {
"__type": "Date",
"iso": "2099-01-01T00:00:00.000Z"
}
}'

Protection from this CVE:

  1. Immediate Patching: Upgrade Parse Server to version `8.6.42` (for the 8.x branch) or `9.6.0-alpha.17` (for the 9.x branch) or later.
  2. Workaround: If you cannot upgrade immediately, implement a `beforeSave` trigger for the `_Session` class to strip or reject attempts to write to server-generated fields.
    // Cloud Code beforeSave trigger for _Session
    Parse.Cloud.beforeSave('_Session', (request) => {
    const restrictedFields = ['sessionToken', 'expiresAt', 'createdWith'];
    restrictedFields.forEach(field => {
    if (request.object.has(field) && !request.object.isNew()) {
    request.object.unset(field);
    }
    });
    });
    

Impact:

Successful exploitation allows an authenticated user to create sessions that ignore the server’s expiration policy, leading to persistent unauthorized access. By setting a known sessionToken, an attacker can bypass token generation mechanisms, making session hijacking trivial. If the `createdWith` field is used in custom authorization logic, an attacker could misrepresent the session’s origin (e.g., making an anonymous session appear as a password-created one), potentially escalating privileges .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top