CVE-2026-32742

Published: Mar 18, 2026 Last Modified: Mar 18, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. Starting in version 9.6.0-alpha.17 and 8.6.42, the session creation endpoint filters out server-generated fields from user-supplied data, preventing them from being overwritten. As a workaround, add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.

915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Other
Potential Impacts:
Modify Application Data Execute Unauthorized Code Or Commands Varies By Context Alter Execution Logic
Applicable Platforms
Languages: ASP.NET, Not Language-Specific, PHP, Python, Ruby
View CWE Details
https://github.com/parse-community/parse-server/pull/10195
https://github.com/parse-community/parse-server/pull/10195
https://github.com/parse-community/parse-server/pull/10196
https://github.com/parse-community/parse-server/pull/10196
https://github.com/parse-community/parse-server/security/ad…
https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9…