PT-2026-25982 · Parse · Parse Server

7Azimo01

Published

2026-03-17

Updated

2026-03-20

CVE-2026-32742

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.17 Parse Server versions prior to 8.6.42

Description An authenticated user can overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session object via the POST /classes/ Session API endpoint. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date and allows setting a predictable session token value. The sessionToken, expiresAt, and createdWith are vulnerable parameters.

Recommendations Versions prior to 9.6.0-alpha.17: Upgrade to version 9.6.0-alpha.17 or later. Versions prior to 8.6.42: Upgrade to version 8.6.42 or later. As a workaround for all affected versions, add a beforeSave trigger on the Session class to validate and reject or strip any user-supplied values for sessionToken, expiresAt, and createdWith.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-915

Related Identifiers

BIT-PARSE-2026-32742

CVE-2026-32742

GHSA-5V7G-9H8F-8PGG

Affected Products

Parse Server

PT-2026-25982 · Parse · Parse Server

CVE-2026-32742

Weakness Enumeration

Related Identifiers

Affected Products

References · 11