CVE-2026-39381 | THREATINT

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-07 | Updated 2026-04-07 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863: Incorrect Authorization

Product status

>= 9.0.0, < 9.8.0-alpha.7

affected

>= 7.0.0, < 8.6.75

affected

References

github.com/...server/security/advisories/GHSA-g4v2-qx3q-4p64

github.com/parse-community/parse-server/pull/10406

github.com/parse-community/parse-server/pull/10407

cve.org (CVE-2026-39381)

nvd.nist.gov (CVE-2026-39381)

Download JSON