CVE-2026-30965
March 10, 2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
Affected Packages
https://github.com/parse-community/parse-server.git (GITHUB):
Affected version(s) >=9.0.0 <9.5.2-alpha.8Fix Suggestion:
Update to version 9.5.2-alpha.8https://github.com/parse-community/parse-server.git (GITHUB):
Affected version(s) >=2.0.0 <8.6.21Fix Suggestion:
Update to version 8.6.21parse-server (NPM):
Affected version(s) >=9.0.0-alpha.1 <9.5.2-alpha.8Fix Suggestion:
Update to version 9.5.2-alpha.8parse-server (NPM):
Affected version(s) >=1.0.0 <8.6.21Fix Suggestion:
Update to version 8.6.21Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
EPSS
Base Score:
0.05
