Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Authenticated users can extend or bypass session expiration in Parse Server
CVE-2026-34574
GHSA-f6j3-w9v3-cq22
Summary
If you're using an outdated version of Parse Server, an authenticated user might be able to keep their session active forever. This is a security risk because it could allow unauthorized access to your system. Update to the latest version (8.6.69 or 9.7.0-alpha.14) to fix this issue.
What to do
- Update parse-server to version 9.7.0-alpha.14.
- Update parse-server to version 8.6.69.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0 , <= 9.7.0-alpha.14 | 9.7.0-alpha.14 |
| – | parse-server | <= 8.6.69 | 8.6.69 |
Original title
Parse Server has a session field immutability bypass via falsy-value guard
Original description
### Impact
An authenticated user can bypass the immutability guard on session fields (`expiresAt`, `createdWith`) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies.
### Patches
The truthiness-based guard checks were replaced with key-presence checks that reject any value for protected session fields, including null.
### Workarounds
There is no known workaround. A `beforeSave` trigger on `_Session` could be used to reject null values for `expiresAt` and `createdWith`.
An authenticated user can bypass the immutability guard on session fields (`expiresAt`, `createdWith`) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies.
### Patches
The truthiness-based guard checks were replaced with key-presence checks that reject any value for protected session fields, including null.
### Workarounds
There is no known workaround. A `beforeSave` trigger on `_Session` could be used to reject null values for `expiresAt` and `createdWith`.
nvd CVSS4.0
5.3
Vulnerability type
CWE-697
- https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d725...
- https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1...
- https://github.com/parse-community/parse-server/pull/10347
- https://github.com/parse-community/parse-server/pull/10348
- https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9...
- https://nvd.nist.gov/vuln/detail/CVE-2026-34574
- https://github.com/advisories/GHSA-f6j3-w9v3-cq22
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 31 Mar 2026