CVE-2026-30965

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30965
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.21 Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8 Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f Vendor Advisory Mitigation
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
History

11 Mar 2026, 15:31

Type Values Removed Values Added
CPE cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
First Time Parseplatform
Parseplatform parse-server
References () https://github.com/parse-community/parse-server/releases/tag/8.6.21 - () https://github.com/parse-community/parse-server/releases/tag/8.6.21 - Product, Release Notes
References () https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8 - () https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8 - Product, Release Notes
References () https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f - () https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f - Vendor Advisory, Mitigation

11 Mar 2026, 13:52

Type Values Removed Values Added
Summary
  • (es) Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.8 y 8.6.21, una vulnerabilidad en el manejo de consultas de Parse Server permite a un atacante autenticado o no autenticado exfiltrar tokens de sesión de otros usuarios explotando el parámetro de consulta redirectClassNameForKey. Los tokens de sesión exfiltrados pueden ser usados para tomar el control de cuentas de usuario. La vulnerabilidad requiere que el atacante pueda crear o actualizar un objeto con un nuevo campo de relación, lo cual depende de los Permisos a Nivel de Clase de al menos una clase. Esta vulnerabilidad está corregida en 9.5.2-alpha.8 y 8.6.21.

10 Mar 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-10 21:16

Updated : 2026-03-11 15:31

NVD link : CVE-2026-30965

Mitre link : CVE-2026-30965

CVE.ORG link : CVE-2026-30965

JSON object : View

Products Affected

parseplatform

  • parse-server
CWE
CWE-863

Incorrect Authorization