PT-2026-27482 · Unknown · Parse Server

Restriction

Publicado

2026-03-24

Atualizado

2026-03-27

CVE-2026-33527

CVSS v4.0

5.3

Média

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.57 Parse Server versions prior to 9.6.0-alpha.48

Description An authenticated user can modify server-generated session fields, such as expiresAt and createdWith, when updating their own session through the REST API. This bypasses the server’s session lifetime policy, potentially making a session permanent. The issue affects the ability to manage session duration, allowing for extended or indefinite session access.

Recommendations Upgrade to Parse Server version 8.6.57 or later. Upgrade to Parse Server version 9.6.0-alpha.48 or later.

Exploit

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

BIT-PARSE-2026-33527

CVE-2026-33527

GHSA-JC39-686J-WP6Q

Produtos afetados

Parse Server

PT-2026-27482 · Unknown · Parse Server

CVE-2026-33527

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11