Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Parse Server Leaks Protected Session Data
CVE-2026-39381
GHSA-g4v2-qx3q-4p64
Summary
Prior to version 9.8.0-alpha.7 and 8.6.75, the Parse Server returns sensitive session data that's meant to be hidden. This can happen when an authenticated user requests their own session details. To fix this, update to version 9.8.0-alpha.7 or 8.6.75 or later.
What to do
- Update parseadmin parse-server to version 9.8.0-alpha.7.
- Update parseadmin parse-server to version 8.6.75.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| parseadmin | parse-server | > 9.0.0 , <= 9.8.0-alpha.7 | 9.8.0-alpha.7 |
| parseadmin | parse-server | > 7.0.0 , <= 8.6.75 | 8.6.75 |
Original title
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Original description
### Impact
The `GET /sessions/me` endpoint returns `_Session` fields that the server operator explicitly configured as protected via the `protectedFields` server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent `GET /sessions` and `GET /sessions/:objectId` endpoints correctly strip protected fields.
### Patches
The `GET /sessions/me` handler now re-fetches the session with the caller's auth context after validating the session token, ensuring `protectedFields` and CLP apply consistently with other session endpoints.
### Workarounds
None.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407
The `GET /sessions/me` endpoint returns `_Session` fields that the server operator explicitly configured as protected via the `protectedFields` server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent `GET /sessions` and `GET /sessions/:objectId` endpoints correctly strip protected fields.
### Patches
The `GET /sessions/me` handler now re-fetches the session with the caller's auth context after validating the session token, ensuring `protectedFields` and CLP apply consistently with other session endpoints.
### Workarounds
None.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407
nvd CVSS4.0
5.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026