Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. Starting in version 9.6.0-alpha.17 and 8.6.42, the session creation endpoint filters out server-generated fields from user-supplied data, preventing them from being overwritten. As a workaround, add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.42 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/pull/10195Issue Tracking
- https://github.com/parse-community/parse-server/pull/10196Issue Tracking
- https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9hVendor Advisory
FAQ
What is CVE-2026-32742?
CVE-2026-32742 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session...
How severe is CVE-2026-32742?
CVE-2026-32742 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32742?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.