PT-2026-27482 · Unknown · Parse Server
Restriction
·
Published
2026-03-24
·
Updated
2026-03-27
·
CVE-2026-33527
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 8.6.57
Parse Server versions prior to 9.6.0-alpha.48
Description
An authenticated user can modify server-generated session fields, such as
expiresAt and createdWith, when updating their own session through the REST API. This bypasses the server’s session lifetime policy, potentially making a session permanent. The issue affects the ability to manage session duration, allowing for extended or indefinite session access.Recommendations
Upgrade to Parse Server version 8.6.57 or later.
Upgrade to Parse Server version 9.6.0-alpha.48 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server