Parse Server is an open-source backend framework that runs on Node.js and is widely used to build scalable applications. In versions prior to 9.6.0-alpha.17 and 8.6.42, a vulnerability (CVE-2026-32742) exists due to improper control over modification of dynamically-determined object attributes (CWE-915). Specifically, authenticated users can overwrite critical server-generated session fields—sessionToken, expiresAt, and createdWith—when creating a session object via the POST /classes/_Session API endpoint. This flaw allows attackers to bypass the server's session expiration mechanism by setting the expiresAt field to a far-future date, effectively creating sessions that never expire. Additionally, attackers can set predictable sessionToken values, which compromises session integrity and could facilitate session fixation or replay attacks. The root cause is insufficient filtering of user-supplied data before it is saved to the session object. Starting with versions 9.6.0-alpha.17 and 8.6.42, the parse-server codebase filters out these server-generated fields from user input during session creation, preventing overwriting. As a mitigation, developers can add a beforeSave trigger on the _Session class to validate or reject any user-supplied values for these fields, ensuring session attributes remain under server control. The vulnerability requires the attacker to be authenticated but does not require additional user interaction. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited scope and the requirement for authentication. No known exploits have been reported in the wild, but the vulnerability poses a risk to applications relying on parse-server for session management.

The vulnerability allows authenticated attackers to manipulate session attributes, undermining session management security. By setting arbitrary far-future expiration dates, attackers can maintain persistent sessions indefinitely, bypassing intended session expiration policies and increasing the risk of unauthorized long-term access. Predictable session tokens facilitate session fixation and replay attacks, potentially allowing attackers to impersonate legitimate users or escalate privileges. This can lead to unauthorized access to sensitive data and application functions, compromising confidentiality and integrity. Although availability is not directly impacted, the trustworthiness of user sessions is severely degraded. Organizations using vulnerable parse-server versions in production environments risk persistent unauthorized access and potential lateral movement within their systems. The impact is particularly significant for applications with sensitive user data or critical business logic relying on session security. Since exploitation requires authentication, the threat is somewhat mitigated but remains serious in environments where user credentials may be compromised or where insider threats exist.

Upgrade parse-server to version 9.6.0-alpha.17 or later, or 8.6.42 or later, where the vulnerability is fixed by filtering out server-generated session fields from user input during session creation. If immediate upgrade is not feasible, implement a beforeSave trigger on the _Session class to validate and reject or strip any user-supplied values for sessionToken, expiresAt, and createdWith fields, ensuring these attributes cannot be overwritten by clients. Review and audit session management policies to detect and invalidate any suspicious or long-lived sessions that may have been created exploiting this vulnerability. Enforce strong authentication and monitor for anomalous session creation patterns. Limit exposure by restricting access to the session creation endpoint to trusted users and services only. Regularly update dependencies and monitor parse-community advisories for further security updates. Incorporate session token randomness and expiration enforcement at the application layer as an additional safeguard.