CVE-2026-34574: CWE-697: Incorrect Comparison in parse-community parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
AI Analysis
Technical Summary
Parse Server, an open source backend for Node.js, contained a vulnerability (CWE-697) where authenticated users could bypass immutability guards on session fields 'expiresAt' and 'createdWith' by submitting null values in session update requests. This flaw allowed indefinite session validity by nullifying the expiry timestamp. The vulnerability affects versions prior to 8.6.69 and between 9.0.0 and before 9.7.0-alpha.14. The issue has been addressed in versions 8.6.69 and 9.7.0-alpha.14.
Potential Impact
An attacker with authenticated access can extend session validity indefinitely by bypassing session expiry controls. This undermines session length policies and could allow prolonged unauthorized access if session tokens are compromised or reused.
Mitigation Recommendations
Upgrade parse-server to version 8.6.69 or later, or to 9.7.0-alpha.14 or later. These versions include the official fix that prevents null values from bypassing immutability guards on session fields. No other mitigation is indicated.
CVE-2026-34574: CWE-697: Incorrect Comparison in parse-community parse-server
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Parse Server, an open source backend for Node.js, contained a vulnerability (CWE-697) where authenticated users could bypass immutability guards on session fields 'expiresAt' and 'createdWith' by submitting null values in session update requests. This flaw allowed indefinite session validity by nullifying the expiry timestamp. The vulnerability affects versions prior to 8.6.69 and between 9.0.0 and before 9.7.0-alpha.14. The issue has been addressed in versions 8.6.69 and 9.7.0-alpha.14.
Potential Impact
An attacker with authenticated access can extend session validity indefinitely by bypassing session expiry controls. This undermines session length policies and could allow prolonged unauthorized access if session tokens are compromised or reused.
Mitigation Recommendations
Upgrade parse-server to version 8.6.69 or later, or to 9.7.0-alpha.14 or later. These versions include the official fix that prevents null values from bypassing immutability guards on session fields. No other mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:56:30.998Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cbe700e6bfc5ba1d219520
Added to database: 3/31/2026, 3:23:44 PM
Last enriched: 4/8/2026, 12:10:27 AM
Last updated: 5/15/2026, 1:24:37 AM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.