CVE-2026-30965

CVSS v4.0

9.9

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.8 Parse Server versions prior to 8.6.21

Description Parse Server, an open-source backend deployable on Node.js infrastructures, contains an issue in its query handling. An attacker, authenticated or unauthenticated, can potentially obtain session tokens belonging to other users by manipulating the redirectClassNameForKey query parameter. Successful exploitation requires the attacker's ability to create or update an object with a new relation field, dependent on the Class-Level Permissions of at least one class. Compromised session tokens could allow for account takeover.

Recommendations Update Parse Server to version 9.5.2-alpha.8 or later. Update Parse Server to version 8.6.21 or later.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-PARSE-2026-30965

CVE-2026-30965

GHSA-6R2J-CXGF-495F

Affected Products

Parse Server

CVE-2026-30965

Weakness Enumeration

Related Identifiers

Affected Products

References · 10