Session Field Overwrite Vulnerability in Parse Server by Parse Community
CVE-2026-33527

5.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33527?

An issue exists in Parse Server that allows authenticated users to manipulate session attributes such as expiresAt and createdWith when updating their sessions via the REST API. This flaw could lead to a breach of session lifetime policies, enabling users to extend their sessions indefinitely. The vulnerability has been resolved in versions 8.6.57 and 9.6.0-alpha.48.

Affected Version(s)

parse-server < 8.6.57 < 8.6.57

parse-server >= 9.0.0, < 9.6.0-alpha.48 < 9.0.0, 9.6.0-alpha.48

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10263
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10264
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.