{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34574", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.998Z", "datePublished": "2026-03-31T15:08:31.013Z", "dateUpdated": "2026-04-01T17:57:27.398Z"}, "containers": {"cna": {"title": "Parse Server: Session field immutability bypass via falsy-value guard", "problemTypes": [{"descriptions": [{"cweId": "CWE-697", "lang": "en", "description": "CWE-697: Incorrect Comparison", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22"}, {"name": "https://github.com/parse-community/parse-server/pull/10347", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10347"}, {"name": "https://github.com/parse-community/parse-server/pull/10348", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10348"}, {"name": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21"}, {"name": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.69", "status": "affected"}, {"version": ">= 9.0.0, < 9.7.0-alpha.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:08:31.013Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14."}], "source": {"advisory": "GHSA-f6j3-w9v3-cq22", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T17:57:17.816603Z", "id": "CVE-2026-34574", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:57:27.398Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Parse Server: Session field immutability bypass via falsy-value guard", "source": {"advisory": "GHSA-f6j3-w9v3-cq22", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.69"}, {"status": "affected", "version": ">= 9.0.0, < 9.7.0-alpha.14"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/pull/10347", "name": "https://github.com/parse-community/parse-server/pull/10347", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/pull/10348", "name": "https://github.com/parse-community/parse-server/pull/10348", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21", "name": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777", "name": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-697", "description": "CWE-697: Incorrect Comparison"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:08:31.013Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34574", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T17:57:17.816603Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-01T17:57:21.444Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-34574", "state": "PUBLISHED", "dateUpdated": "2026-03-31T15:08:31.013Z", "dateReserved": "2026-03-30T16:56:30.998Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T15:08:31.013Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14."}], "id": "CVE-2026-34574", "lastModified": "2026-04-01T14:24:02.583", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T16:16:33.923", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/pull/10347"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/pull/10348"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-697"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.69)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.7.0-alpha.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-03-31T16:20:51.871515+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Parse Server to version 8.6.69 or later, or 9.7.0-alpha.14 or later.", "If immediate upgrade is not possible, revoke all existing user sessions and require re\u2011authentication to enforce new session lifetimes.", "Verify that session token rotation and expiration policies are enforced after applying the patch.", "Monitor authentication logs for abnormal session durations as an additional monitoring measure."], "summary": {"action": "Patch Immediately", "impact": "Indefinite session validity enabling unauthorized continued access"}, "threat_synthesis": {"affected_systems": "The flaw affects the open\u2011source Parse Server from parse-community. Any deployment running a version earlier than 8.6.69 or 9.7.0\u2011alpha.14 is vulnerable. The product is the Parse Server backend that can run on any Node.js\u2011capable infrastructure.", "description_and_impact": "The vulnerability permits an authenticated user to ignore the immutability guard on session fields by sending a null value in a PUT request to the session update endpoint. This nullifies the expiresAt and createdWith fields, effectively removing the session timeout and allowing the session to remain valid indefinitely. The weakness is a logical comparison error that bypasses expected safeguards and can result in prolonged unauthorized access.", "risk_and_exploitability": "The CVSS base score of 5.3 reflects a medium severity. No EPSS score is currently reported and the vulnerability is not listed in the CISA KEV catalog, indicating a lower likelihood of widespread exploitation. However, the attack requires an authenticated user with permission to update session data, which is common in many applications. Because the vulnerability allows an attacker to keep a session alive indefinitely, it can facilitate sustained, undetected abuse and data exfiltration for as long as the session remains active."}}}}, "created": "2026-03-31T19:54:14.458601+00:00", "updated": "2026-03-31T20:38:10.608408+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}