EUVD-2026-14974
GHSA-jc39-686j-wp6q
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
### Impact An authenticated user can overwrite server-generated session fields such as `expiresAt` and `createdWith` when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. ### Patches The fix blocks authenticated users from setting `expiresAt` and `createdWith` fields when updating a session. Master key and maintenance key operations are not affected. ### Workarounds There is no known workaround other than upgrading. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264
Analysis
An authenticated user can manipulate server-generated session fields (expiresAt and createdWith) when updating their own session via the Parse Server REST API, allowing them to extend or indefinitely prolong their session validity and bypass the server's configured session lifetime policies. This authentication bypass affects Parse Server (npm:parse-server) on both version 8 and 9 branches, enabling a low-complexity attack that requires only valid user credentials. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today