Information Exposure in Parse Server by Parse Community
CVE-2026-39381

5.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
7 April 2026

What is CVE-2026-39381?

Parse Server, an open source backend framework, was found to have a vulnerability that allowed authenticated users to access sensitive session information improperly. Specifically, prior to versions 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returned protected _Session fields, which should have been restricted based on server configuration. This flaw could potentially expose sensitive data to users in their own session. The GET /sessions and GET /sessions/:objectId endpoints functioned correctly by excluding these protected fields, highlighting a discrepancy in handling session data. The issue has been addressed in subsequent updates, ensuring better security by protecting sensitive information from unauthorized access.

Affected Version(s)

parse-server >= 9.0.0, < 9.8.0-alpha.7 < 9.0.0, 9.8.0-alpha.7

parse-server >= 7.0.0, < 8.6.75 < 7.0.0, 8.6.75

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10406
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10407
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.