CVE-2026-30965
CRITICALParse Server <9.5.2-alpha.8/8.6.21 - Info Disclosure
Title source: llmDescription
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f
Release Notes x_refsource_misc
https://github.com/parse-community/parse-server/releases/tag/8.6.21
Release Notes x_refsource_misc
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8
Scores
CVSS v3
9.1
EPSS
0.0036
EPSS Percentile
27.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (3)
npm/parse-server
9.0.0-alpha.1 - 9.5.2-alpha.8npm
parseplatform/parse-server
9.5.2 alpha1 (7 CPE variants)
parseplatform/parse-server
< 8.6.21
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026