Parse Server is a popular open source backend framework that runs on Node.js and is widely used to build scalable applications. CVE-2026-34574 is a vulnerability classified under CWE-697 (Incorrect Comparison) that allows authenticated users to bypass immutability protections on critical session fields. Specifically, the fields expiresAt and createdWith, which are intended to be immutable once set, can be overwritten with null values via a crafted PUT request to the session update endpoint. This improper handling of null values leads to the nullification of session expiry, effectively making the session valid indefinitely. This undermines configured session length policies designed to limit session lifetime and reduce risk from stolen or hijacked sessions. The vulnerability affects parse-server versions earlier than 8.6.69 and versions from 9.0.0 up to 9.7.0-alpha.14. The issue does not require user interaction and can be exploited by any authenticated user, making it relatively easy to exploit in environments where authentication is not tightly controlled. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required beyond authentication, and limited impact on confidentiality and integrity but significant impact on availability of session controls. The vulnerability has been patched in versions 8.6.69 and 9.7.0-alpha.14, and no known exploits have been reported in the wild. The root cause is an incorrect comparison or validation logic that fails to properly reject null values for immutable session fields.

The primary impact of this vulnerability is the indefinite extension of session validity, which can severely weaken session management security. Attackers who gain authenticated access can maintain persistent sessions without expiration, increasing the window for unauthorized access and lateral movement within affected systems. This undermines security policies enforcing session timeouts and can facilitate long-term abuse of compromised accounts. Organizations relying on parse-server for backend services risk exposure of sensitive data and unauthorized actions performed under hijacked or maliciously prolonged sessions. The vulnerability could also complicate incident response and forensic investigations by obscuring session timelines. While it does not directly allow privilege escalation or remote code execution, the ability to bypass session expiry controls poses a significant risk to confidentiality and integrity of user accounts and application data. The impact is particularly critical in environments with sensitive data, regulatory compliance requirements, or where session management is a key security control.

Organizations should immediately upgrade parse-server to version 8.6.69 or later, or 9.7.0-alpha.14 or later, where the vulnerability is patched. In addition to upgrading, implement strict authentication controls to limit access to session update endpoints only to trusted users and services. Employ monitoring and alerting on unusual session update activities, especially those involving null or unexpected values in session fields. Review and harden API input validation to reject null or malformed values for immutable fields. Consider implementing additional session management controls such as token revocation, multi-factor authentication, and reduced session lifetimes as defense-in-depth. Conduct regular security audits and penetration testing focused on session management logic. If upgrading is not immediately possible, apply compensating controls such as web application firewalls (WAFs) to detect and block suspicious session update requests. Finally, educate developers and administrators about secure session handling practices to prevent similar logic flaws.