Session Management Vulnerability in Parse Server by Parse Community
CVE-2026-34574

5.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34574?

An issue exists in Parse Server, where authenticated users can bypass session immutability guards by sending a null value in a PUT request to the session update endpoint. This vulnerability allows attackers to nullify the session expiry, making an active session valid indefinitely and circumventing the configured session length policies. This flaw impacts versions prior to 8.6.69 and 9.7.0-alpha.14. The offending versions have since been patched to close this security loophole.

Affected Version(s)

parse-server < 8.6.69 < 8.6.69

parse-server >= 9.0.0, < 9.7.0-alpha.14 < 9.0.0, 9.7.0-alpha.14

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10347
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10348
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.