SB2026040769 - Incorrect authorization in Parse Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040769

SB2026040769 - Incorrect authorization in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040769
CSH Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Incorrect authorization (CVE-ID: CVE-2026-30965)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose session tokens of other users and take over user accounts.

The vulnerability exists due to incorrect authorization in Parse Server query handling for the redirectClassNameForKey query parameter when processing redirected queries. A remote attacker can create or update an object with a new relation field to disclose session tokens of other users and take over user accounts.

Exploitation requires the ability to create or update an object with a new relation field, depending on the class-level permissions of at least one class.


Remediation

Install update from vendor's website.

References