VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-h8hu-n8dv-ybhy

Essentials
Severities (18)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-h8hu-n8dv-ybhy
Aliases	CVE-2026-32742 GHSA-5v7g-9h8f-8pgg
Summary	Parse Server session creation endpoint allows overwriting server-generated session fields ### Impact An authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. ### Patches The session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten. ### Workarounds Add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2026-32742
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2026-32742
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2026-32742
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-5v7g-9h8f-8pgg
cvssv3.1	4.3	https://github.com/parse-community/parse-server
generic_textual	MODERATE	https://github.com/parse-community/parse-server
cvssv3.1	4.3	https://github.com/parse-community/parse-server/pull/10195
generic_textual	MODERATE	https://github.com/parse-community/parse-server/pull/10195
ssvc	Track	https://github.com/parse-community/parse-server/pull/10195
cvssv3.1	4.3	https://github.com/parse-community/parse-server/pull/10196
generic_textual	MODERATE	https://github.com/parse-community/parse-server/pull/10196
ssvc	Track	https://github.com/parse-community/parse-server/pull/10196
cvssv3.1	4.3	https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg
cvssv3.1_qr	MODERATE	https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg
generic_textual	MODERATE	https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg
ssvc	Track	https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg
cvssv3.1	4.3	https://nvd.nist.gov/vuln/detail/CVE-2026-32742
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-32742

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-32742
		https://github.com/parse-community/parse-server
		https://github.com/parse-community/parse-server/pull/10195
		https://github.com/parse-community/parse-server/pull/10196
		https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg
		https://nvd.nist.gov/vuln/detail/CVE-2026-32742
GHSA-5v7g-9h8f-8pgg		https://github.com/advisories/GHSA-5v7g-9h8f-8pgg

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server/pull/10195

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/ Found at https://github.com/parse-community/parse-server/pull/10195

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server/pull/10196

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/ Found at https://github.com/parse-community/parse-server/pull/10196

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32742

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05951
EPSS Score	0.00021
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T17:00:15.619888+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5v7g-9h8f-8pgg/GHSA-5v7g-9h8f-8pgg.json	38.6.0