QwikSec

Security Database

CVE

CWE

Training

CVE-2026-34574

Published: Mar 31, 2026

Modified: Apr 1, 2026

PUBLISHED

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.

Vendor	Product	Versions
parse-community	parse-server	affected `< 8.6.69` affected `>= 9.0.0, < 9.7.0-alpha.14`

Weaknesses (CWE)

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22

x_refsource_CONFIRM

https://github.com/parse-community/parse-server/pull/10347

x_refsource_MISC

https://github.com/parse-community/parse-server/pull/10348

x_refsource_MISC

https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21

x_refsource_MISC

https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.