CVE-2026-30965

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.21	Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8	Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7::::node.js::*

History

No history.

Information

Published : 2026-03-10 21:16

Updated : 2026-03-11 15:31

NVD link : CVE-2026-30965

Mitre link : CVE-2026-30965

CVE.ORG link : CVE-2026-30965

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-30965", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T21:16:48.820", "references": [{"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.21", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f", "tags": ["Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.8 y 8.6.21, una vulnerabilidad en el manejo de consultas de Parse Server permite a un atacante autenticado o no autenticado exfiltrar tokens de sesi\u00f3n de otros usuarios explotando el par\u00e1metro de consulta redirectClassNameForKey. Los tokens de sesi\u00f3n exfiltrados pueden ser usados para tomar el control de cuentas de usuario. La vulnerabilidad requiere que el atacante pueda crear o actualizar un objeto con un nuevo campo de relaci\u00f3n, lo cual depende de los Permisos a Nivel de Clase de al menos una clase. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.8 y 8.6.21."}], "lastModified": "2026-03-11T15:31:39.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7D18B8D4-DC43-4F34-B68A-241F384AF08F", "versionEndExcluding": "8.6.21"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D", "versionEndExcluding": "9.5.2", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "601B2CF1-D29A-42CC-8405-185C1A8E1EB2"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BC9F2B9D-026F-454B-B565-05AA441FA54F"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FDDB20F1-F6A7-4B1E-B075-CC250613D826"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CA14D0B7-B952-4C4E-B271-3EBB51C03E9C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "19B7C5A9-B59A-4A47-B4F0-13C7C796B496"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}