Parse Server is an open-source backend framework that runs on Node.js and is widely used for building mobile and web applications. CVE-2026-30965 is an incorrect authorization vulnerability (CWE-863) discovered in parse-server's query handling mechanism. The flaw arises from improper authorization checks on the redirectClassNameForKey query parameter, which can be manipulated by attackers to access session tokens belonging to other users. The vulnerability can be exploited by either authenticated or unauthenticated attackers who have the capability to create or update objects with new relation fields, a capability governed by Class-Level Permissions (CLPs) on at least one class in the database schema. By exploiting this, attackers can exfiltrate session tokens without needing any privileges or user interaction. These session tokens can then be used to impersonate users, effectively allowing account takeover. The vulnerability affects parse-server versions from 8.x up to but not including 8.6.21, and 9.0.0 up to but not including 9.5.2-alpha.8. The CVSS 4.0 score of 9.9 reflects the critical nature of this vulnerability, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the ease of exploitation and severity make this a high-risk issue. The vulnerability was publicly disclosed on March 10, 2026, and fixed in the indicated patched versions.

The impact of CVE-2026-30965 is severe for organizations using affected versions of parse-server. Successful exploitation leads to session token exfiltration, enabling attackers to hijack user accounts and gain unauthorized access to sensitive data and application functionality. This compromises confidentiality and integrity of user data and can disrupt availability if attackers perform malicious actions under hijacked accounts. Organizations relying on parse-server for backend services, especially those handling sensitive user information or critical business processes, face risks of data breaches, fraud, and reputational damage. The vulnerability requires no privileges or user interaction, increasing the likelihood of automated or large-scale attacks. Given parse-server's use in mobile and web applications globally, the threat surface is broad, potentially impacting startups, enterprises, and service providers. Without timely patching, attackers could leverage this flaw to escalate privileges, bypass access controls, and perform lateral movement within affected environments.

To mitigate CVE-2026-30965, organizations should immediately upgrade parse-server to versions 9.5.2-alpha.8 or later, or 8.6.21 or later, where the vulnerability is fixed. Until upgrades can be applied, restrict access to parse-server endpoints by implementing network-level controls such as IP whitelisting and firewall rules to limit exposure. Review and tighten Class-Level Permissions (CLPs) to minimize the ability of users or unauthenticated actors to create or update objects with relation fields. Implement monitoring and alerting for unusual query patterns involving redirectClassNameForKey parameters or unexpected object relation modifications. Employ session token management best practices, including short token lifetimes and revocation mechanisms, to reduce the window of opportunity for attackers. Conduct thorough security assessments and penetration testing focused on authorization controls in parse-server deployments. Finally, maintain an up-to-date inventory of parse-server instances and ensure all development and production environments are patched promptly.