CVE-2026-30965

CRITICAL EPSS 27.9%
Published Mar 10, 20263mo ago · Modified Mar 11, 20263mo ago
9.9 CVSS 4.0
Critical
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Mar 11, 2026 3mo ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.

CVSS Details

Base Score
9.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
27.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 9

VendorProductVersionRange
parseplatformparse-server* <8.6.21
parseplatformparse-server*≥9.0.0  –  <9.5.2
parseplatformparse-server9.5.2any
parseplatformparse-server9.5.2any
parseplatformparse-server9.5.2any
parseplatformparse-server9.5.2any
parseplatformparse-server9.5.2any
parseplatformparse-server9.5.2any
parseplatformparse-server9.5.2any

References 3

  • github.com https://github.com/parse-community/parse-server/releases/tag/8.6.21
    ProductRelease Notes
  • github.com https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8
    ProductRelease Notes
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f
    Vendor AdvisoryMitigation

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.