CVE-2026-32742

Description

### Impact An authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. ### Patches The session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten. ### Workarounds Add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.

How to fix CVE-2026-32742

To remediate CVE-2026-32742, upgrade the affected package to a fixed version below.

• —upgrade to 8.6.42 or later
• —upgrade to 9.6.0-alpha.17 or later

Is CVE-2026-32742 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 8.6.42, >= 9.0.0, < 9.6.0
• >= 9.0.0, < 9.6.0-alpha.17

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32742
• PATCHgithub.com/parse-community/parse-server
• WEBgithub.com/parse-community/parse-server/pull/10195
• WEBgithub.com/parse-community/parse-server/pull/10196