CVE-2026-34574

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.69 and 9.7.0-alpha.14

Description An authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. The truthiness-based guard checks were replaced with key-presence checks that reject any value for protected session fields, including null.

Recommendations Update to version 8.6.69 or 9.7.0-alpha.14.