Incorrect authorization in Parse Server - CVE-2026-30965

 

Incorrect authorization in Parse Server - CVE-2026-30965

Published: April 6, 2026


Vulnerability identifier: #VU124986
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-30965
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose session tokens of other users and take over user accounts.

The vulnerability exists due to incorrect authorization in Parse Server query handling for the redirectClassNameForKey query parameter when processing redirected queries. A remote attacker can create or update an object with a new relation field to disclose session tokens of other users and take over user accounts.

Exploitation requires the ability to create or update an object with a new relation field, depending on the class-level permissions of at least one class.


How to mitigate CVE-2026-30965

Install security update from vendor's website.

Sources