Threat Intel

v0.1

← CVEs

CVE-2026-32742

MED 4.3
Published
2026-03-18
Last Modified
2026-03-19
Affected Apps
8
Affected Devices
9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. Starting in version 9.6.0-alpha.17 and 8.6.42, the session creation endpoint filters out server-generated fields from user-supplied data, preventing them from being overwritten. As a workaround, add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.
Affected Applications in Environment 8
Platform v17,38,0,0
1 device
Platform v17,17,0,0
1 device
Platform v17,15,0,0
2 devices
Platform v3.1.119.0
1 device
Platform v3.1.116.0
1 device
Platform v3.1.120.0
1 device
Platform v17,24,0,0
1 device
server v1.0.0.0
1 device
Affected Devices 9
ARSUTLGU4000052 Windows DESKTOP-6US3N85 Windows DESKTOP-7IU23EB Windows DPEXAN-5CD017CV Windows DPHSNG-34Y86X3 Windows DPMATH-C11312G9 Windows EBB107-01 Windows FL217-2-ADOTTER Windows MICHELLEUSUHP Windows
References 3