Auth bypass in Parse-community Parse-server

CVE-2026-33527

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and…

Vulnerability class: Broken Access Control

EPSS: 0.000 (2.6th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.57, >= 9.0.0, < 9.6.0-alpha.48

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10263 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10264 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984 (x_refsource_MISC)