CVE-2026-39381

EUVD-2026-19917

07.04.2026, 20:16

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse-server	𝑥 < 8.6.75
parseplatform	parse-server	9.0.0 ≤ 𝑥 < 9.8.0
parseplatform	parse-server	9.8.0:alpha1
parseplatform	parse-server	9.8.0:alpha2
parseplatform	parse-server	9.8.0:alpha3
parseplatform	parse-server	9.8.0:alpha4
parseplatform	parse-server	9.8.0:alpha5
parseplatform	parse-server	9.8.0:alpha6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/parse-community/parse-server/pull/10406

https://github.com/parse-community/parse-server/pull/10407

https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64