Medium severity5.4NVD Advisory· Published Mar 31, 2026· Updated Apr 2, 2026
CVE-2026-34574
CVE-2026-34574
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.0.0, < 9.7.0-alpha.14 | 9.7.0-alpha.14 |
parse-servernpm | < 8.6.69 | 8.6.69 |
Affected products
16cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*+ 13 more
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha12:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha13:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*range: <8.6.69
- osv-coords2 versions
< 8.6.69+ 1 more
- (no CPE)range: < 8.6.69
- (no CPE)range: >= 9.0.0, < 9.7.0-alpha.14
Patches
Vulnerability mechanics
References
7- github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21nvdPatchWEB
- github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777nvdPatchWEB
- github.com/parse-community/parse-server/pull/10347nvdIssue TrackingPatchWEB
- github.com/parse-community/parse-server/pull/10348nvdIssue TrackingPatchWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-f6j3-w9v3-cq22ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34574ghsaADVISORY
News mentions
0No linked articles in our index yet.