Moderate severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026
Parse Server: Session update endpoint allows overwriting server-generated session fields
CVE-2026-33527
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.0.0, < 9.6.0-alpha.48 | 9.6.0-alpha.48 |
parse-servernpm | < 8.6.57 | 8.6.57 |
Affected products
3- osv-coords2 versions
< 8.6.57+ 1 more
- (no CPE)range: < 8.6.57
- (no CPE)range: >= 9.0.0, < 9.6.0-alpha.48
- Range: < 8.6.57
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-jc39-686j-wp6qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33527ghsaADVISORY
- github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/pull/10263ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/pull/10264ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.