CVE-2026-30965
published 2026-03-10CVE-2026-30965: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in…
PriorityP358critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.36%
27.9th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.21 | 8.6.21 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.21 | 8.6.21 |
| parse-community | parse-server | >= 9.0.0-alpha.1 < 9.5.2-alpha.8 | 9.5.2-alpha.8 |
| parseplatform | parse-server | < 8.6.21 | 8.6.21 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | >= 9.0.0 < 9.5.2 | 9.5.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
ghsa·2026-03-11
CVE-2026-30965 [CRITICAL] CWE-863 Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
### Impact
A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the `redirectClassNameForKey` query parameter. Exfiltrated session tokens can be used to take over user accounts.
The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class.
### Patches
The fix applies the same security checks that normally protect class access after the query redirect, ensuring that queries redirected via `redirectClassNameForKey` are subject to the same restrictions as direct queries to
OSV
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
osv·2026-03-11
CVE-2026-30965 [CRITICAL] Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
### Impact
A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the `redirectClassNameForKey` query parameter. Exfiltrated session tokens can be used to take over user accounts.
The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class.
### Patches
The fix applies the same security checks that normally protect class access after the query redirect, ensuring that queries redirected via `redirectClassNameForKey` are subject to the same restrictions as direct queries to
No detection rules found.
No public exploits indexed.
2026-03-10
Published