CVE-2026-33527
UNKNOWN
NVD
CVSS Score
0
Severity
UNKNOWN
Published
Mar 24, 2026
Vendor
unknown
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.
References
- https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73
- https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984
- https://github.com/parse-community/parse-server/pull/10263
- https://github.com/parse-community/parse-server/pull/10264
- https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q