Main Vulnerability Database Vulnerabilities #VU124986

#VU124986 Incorrect authorization in Parse Server - CVE-2026-30965

Published: April 6, 2026

Vulnerability identifier: #VU124986

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-30965

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to disclose session tokens of other users and take over user accounts.

The vulnerability exists due to incorrect authorization in Parse Server query handling for the redirectClassNameForKey query parameter when processing redirected queries. A remote attacker can create or update an object with a new relation field to disclose session tokens of other users and take over user accounts.

Exploitation requires the ability to create or update an object with a new relation field, depending on the class-level permissions of at least one class.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f

#VU124986 Incorrect authorization in Parse Server - CVE-2026-30965

Description

Remediation

External links

Please verify you're human