Main Vulnerability Database SB2026040769

SB2026040769 - Incorrect authorization in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040769

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect authorization (CVE-ID: CVE-2026-30965)

The vulnerability allows a remote attacker to disclose session tokens of other users and take over user accounts.

The vulnerability exists due to incorrect authorization in Parse Server query handling for the redirectClassNameForKey query parameter when processing redirected queries. A remote attacker can create or update an object with a new relation field to disclose session tokens of other users and take over user accounts.

Exploitation requires the ability to create or update an object with a new relation field, depending on the class-level permissions of at least one class.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f