CVE-2026-30965 Overview
CVE-2026-30965 is a critical authorization bypass vulnerability in Parse Server, an open source backend that can be deployed to any infrastructure running Node.js. The vulnerability exists in Parse Server's query handling mechanism and allows attackers to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Once session tokens are obtained, attackers can take over user accounts, potentially compromising the entire application's user base.
Critical Impact
This vulnerability enables session token theft leading to complete user account takeover. Both authenticated and unauthenticated attackers can exploit this flaw if they can create or update objects with relation fields.
Affected Products
- Parse Server versions prior to 8.6.21
- Parse Server versions 9.5.2-alpha.1 through 9.5.2-alpha.7
- parseplatform parse-server (Node.js deployments)
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30965 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30965
Vulnerability Analysis
This vulnerability falls under CWE-863 (Incorrect Authorization), where the Parse Server fails to properly validate authorization when processing queries that include the redirectClassNameForKey parameter. The flaw allows attackers to redirect queries to access session token data belonging to other users through specially crafted relation field operations.
The attack requires the ability to create or update an object with a new relation field, which depends on the Class-Level Permissions (CLP) configured for at least one class in the Parse Server deployment. In environments with permissive CLP settings, this vulnerability can be exploited without any authentication, significantly increasing the attack surface.
The impact is severe because exfiltrated session tokens provide direct access to user accounts without requiring credentials. This enables attackers to impersonate legitimate users, access their data, and perform actions on their behalf.
Root Cause
The root cause of CVE-2026-30965 is an authorization flaw in how Parse Server processes the redirectClassNameForKey query parameter. The query handling logic fails to enforce proper access controls when redirecting queries through relation fields, allowing unauthorized access to session data that should be restricted. This improper authorization check permits the query to return session tokens from the _Session class when it should deny access based on the requesting user's permissions.
Attack Vector
The vulnerability is exploited over the network without requiring user interaction. An attacker crafts a malicious query that leverages the redirectClassNameForKey parameter to pivot through relation fields and access session token data. The attack flow involves:
- Identifying a class with permissive Class-Level Permissions that allows object creation or modification with relation fields
- Creating or modifying an object with a relation field that points to the target user
- Constructing a query using redirectClassNameForKey to redirect the query flow toward session data
- Extracting session tokens from the query response
- Using the stolen session tokens to authenticate as the victim user
The vulnerability can be exploited by unauthenticated attackers in deployments where at least one class permits public object creation with relation fields.
Detection Methods for CVE-2026-30965
Indicators of Compromise
- Unusual query patterns involving redirectClassNameForKey parameter in Parse Server logs
- Unexpected access to _Session class from unauthorized sources
- Multiple session token lookups or queries from a single source targeting different users
- Failed or suspicious authentication attempts followed by successful logins using different session tokens
Detection Strategies
- Monitor Parse Server query logs for requests containing redirectClassNameForKey targeting session-related classes
- Implement alerting on bulk session token access patterns that deviate from normal application behavior
- Deploy application-layer web application firewall (WAF) rules to detect and block suspicious query parameter combinations
- Audit Class-Level Permissions to identify overly permissive configurations that could enable exploitation
Monitoring Recommendations
- Enable detailed query logging in Parse Server to capture all API requests with full parameter details
- Set up anomaly detection for session token access patterns across user accounts
- Monitor for sudden increases in object creation or modification requests with relation fields
- Implement session validity tracking to detect token usage from unexpected IP addresses or geolocations
How to Mitigate CVE-2026-30965
Immediate Actions Required
- Upgrade Parse Server to version 8.6.21 or 9.5.2-alpha.8 immediately
- Review Class-Level Permissions across all classes and restrict object creation/modification with relation fields to authenticated users only
- Audit existing sessions and consider invalidating all active session tokens as a precautionary measure
- Implement rate limiting on API endpoints to slow potential exploitation attempts
Patch Information
Parse Server has released security patches to address this vulnerability. Users should upgrade to the following fixed versions:
- Stable branch: Upgrade to version 8.6.21 or later - GitHub Parse Server Release 8.6.21
- Alpha branch: Upgrade to version 9.5.2-alpha.8 or later - GitHub Parse Server Release 9.5.2-alpha.8
For additional details, refer to the GitHub Security Advisory GHSA-6r2j-cxgf-495f.
Workarounds
- Restrict Class-Level Permissions to prevent unauthenticated users from creating or modifying objects with relation fields
- Implement additional authentication layers or API gateway controls in front of Parse Server
- Review and harden beforeSave and beforeFind cloud code triggers to add custom authorization checks
- Consider temporarily disabling public API access while preparing for the upgrade
# Configuration example - Review and restrict Class-Level Permissions
# In Parse Dashboard or via REST API, ensure session-sensitive classes have restrictive CLPs:
# Example: Restrict _Session class access (recommended baseline)
# Set CLP to deny public find, get, create, update, delete operations
# Only allow authenticated users with specific roles to access session data
# Verify Parse Server version before and after upgrade
npm list parse-server
# Upgrade Parse Server to patched version
npm update parse-server@8.6.21 # For stable branch
# OR
npm update parse-server@9.5.2-alpha.8 # For alpha branch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
