Vulnerability in Parse-community Parse-server

CVE-2026-34574

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, crea…

EPSS: 0.000 (10.7th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.69, >= 9.0.0, < 9.7.0-alpha.14

Weakness classification (CWE)

CWE-697 — Incorrect Comparison

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22 (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10347 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10348 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777 (x_refsource_MISC)