CVE-2026-33527

EUVD-2026-14974

24.03.2026, 19:16

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse-server	𝑥 < 8.6.57
parseplatform	parse-server	9.0.0 ≤ 𝑥 < 9.6.0
parseplatform	parse-server	9.6.0:alpha1
parseplatform	parse-server	9.6.0:alpha10
parseplatform	parse-server	9.6.0:alpha11
parseplatform	parse-server	9.6.0:alpha12
parseplatform	parse-server	9.6.0:alpha13
parseplatform	parse-server	9.6.0:alpha14
parseplatform	parse-server	9.6.0:alpha15
parseplatform	parse-server	9.6.0:alpha16
parseplatform	parse-server	9.6.0:alpha17
parseplatform	parse-server	9.6.0:alpha18
parseplatform	parse-server	9.6.0:alpha19
parseplatform	parse-server	9.6.0:alpha2
parseplatform	parse-server	9.6.0:alpha20
parseplatform	parse-server	9.6.0:alpha21
parseplatform	parse-server	9.6.0:alpha22
parseplatform	parse-server	9.6.0:alpha23
parseplatform	parse-server	9.6.0:alpha24
parseplatform	parse-server	9.6.0:alpha25
parseplatform	parse-server	9.6.0:alpha26
parseplatform	parse-server	9.6.0:alpha27
parseplatform	parse-server	9.6.0:alpha28
parseplatform	parse-server	9.6.0:alpha29
parseplatform	parse-server	9.6.0:alpha3
parseplatform	parse-server	9.6.0:alpha30
parseplatform	parse-server	9.6.0:alpha31
parseplatform	parse-server	9.6.0:alpha32
parseplatform	parse-server	9.6.0:alpha33
parseplatform	parse-server	9.6.0:alpha34
parseplatform	parse-server	9.6.0:alpha35
parseplatform	parse-server	9.6.0:alpha36
parseplatform	parse-server	9.6.0:alpha37
parseplatform	parse-server	9.6.0:alpha38
parseplatform	parse-server	9.6.0:alpha39
parseplatform	parse-server	9.6.0:alpha4
parseplatform	parse-server	9.6.0:alpha40
parseplatform	parse-server	9.6.0:alpha41
parseplatform	parse-server	9.6.0:alpha42
parseplatform	parse-server	9.6.0:alpha43
parseplatform	parse-server	9.6.0:alpha44
parseplatform	parse-server	9.6.0:alpha45
parseplatform	parse-server	9.6.0:alpha46
parseplatform	parse-server	9.6.0:alpha47
parseplatform	parse-server	9.6.0:alpha5
parseplatform	parse-server	9.6.0:alpha6
parseplatform	parse-server	9.6.0:alpha7
parseplatform	parse-server	9.6.0:alpha8
parseplatform	parse-server	9.6.0:alpha9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73

https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984

https://github.com/parse-community/parse-server/pull/10263

https://github.com/parse-community/parse-server/pull/10264

https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q