CVE-2026-32742

An authenticated user can overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session object via POST /classes/ Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.

The session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten.

Add a beforeSave trigger on the Session class to validate and reject or strip any user-supplied values for sessionToken, expiresAt, and createdWith.