CVE-2026-34574

MEDIUM EPSS 11.2%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
11.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-697

Affected Products 15

VendorProductVersionRange
parseplatformparse-server* <8.6.69
parseplatformparse-server*≥9.0.0  –  <9.7.0
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any

References 5

  • github.com https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10347
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10348
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22
    PatchVendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10347
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10348
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22
    PatchVendor Advisory