Security Advisory

CVE-2026-39381

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-07 19:51:03

Last updated 2026-04-07 20:23:31

Assigner GitHub_M

State PUBLISHED

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own sessions protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.

← Browse all CVEs View on cve.org ↗