Skip to main content

EUVDEUVD-2026-14974

| CVE-2026-33527 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-24 https://github.com/parse-community/parse-server GHSA-jc39-686j-wp6q
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 16:45 euvd
EUVD-2026-14974
Analysis Generated
Mar 24, 2026 - 16:45 vuln.today
Patch released
Mar 24, 2026 - 16:45 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:34 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent.

Patches

The fix blocks authenticated users from setting expiresAt and createdWith fields when updating a session. Master key and maintenance key operations are not affected.

Workarounds

There is no known workaround other than upgrading.

Resources

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264

AnalysisAI

An authenticated user can manipulate server-generated session fields (expiresAt and createdWith) when updating their own session via the Parse Server REST API, allowing them to extend or indefinitely prolong their session validity and bypass the server's configured session lifetime policies. This authentication bypass affects Parse Server (npm:parse-server) on both version 8 and 9 branches, enabling a low-complexity attack that requires only valid user credentials. No public exploit or active exploitation in the wild has been documented, but patches are available from the vendor.

Technical ContextAI

Parse Server is a Node.js backend-as-a-service platform (CPE: pkg:npm/parse-server) that manages user authentication and session handling through REST API endpoints. The vulnerability resides in the session update mechanism where the application fails to properly validate and filter user-controlled input against protected server-generated fields. This is classified as CWE-863 (Incorrect Authorization), specifically an authorization bypass where user-supplied data improperly overwrites fields that should be immutable on the server side. The root cause is insufficient input validation in the session update handler, which allows authenticated principals to modify fields designated for server-only control (expiresAt for session expiration and createdWith for audit tracking).

RemediationAI

Immediately upgrade Parse Server to the patched version corresponding to your major version line: for Parse Server 9, apply the fix from PR #10263; for Parse Server 8, apply PR #10264 (check the official release notes for exact version numbers). The patches block authenticated users from setting expiresAt and createdWith fields during session updates while preserving master key and maintenance key privileges. Until patching is completed, implement compensatory controls by restricting REST API access to trusted networks, enforcing strong authentication mechanisms (multi-factor authentication), monitoring session update logs for suspicious expiresAt modifications, and reducing configured session lifetime to minimize exposure window. For detailed patching instructions, refer to https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q.

Share

EUVD-2026-14974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy