CVE-2026-39381

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.8.0-alpha.7 and prior to 8.6.75

Description Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by an issue where the GET /sessions/me API endpoint improperly returns protected session fields. Specifically, fields explicitly configured as protected by the server operator through the protectedFields server option are exposed to any authenticated user requesting their own session data. The GET /sessions and GET /sessions/:objectId endpoints function correctly by stripping these protected fields.

Recommendations Update to Parse Server version 9.8.0-alpha.7 or later. Update to Parse Server version 8.6.75 or later.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-PARSE-2026-39381

CVE-2026-39381

GHSA-G4V2-QX3Q-4P64

Affected Products

Parse Server

CVE-2026-39381

Weakness Enumeration

Related Identifiers

Affected Products

References · 8