{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39381", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T22:06:40.515Z", "datePublished": "2026-04-07T19:51:03.479Z", "dateUpdated": "2026-04-07T20:23:31.190Z"}, "containers": {"cna": {"title": "Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64"}, {"name": "https://github.com/parse-community/parse-server/pull/10406", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10406"}, {"name": "https://github.com/parse-community/parse-server/pull/10407", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10407"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0, < 9.8.0-alpha.7", "status": "affected"}, {"version": ">= 7.0.0, < 8.6.75", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:51:03.479Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75."}], "source": {"advisory": "GHSA-g4v2-qx3q-4p64", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T20:23:25.561431Z", "id": "CVE-2026-39381", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:23:31.190Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39381", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T20:23:25.561431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:23:28.592Z"}}], "cna": {"title": "Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`", "source": {"advisory": "GHSA-g4v2-qx3q-4p64", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0, < 9.8.0-alpha.7"}, {"status": "affected", "version": ">= 7.0.0, < 8.6.75"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/pull/10406", "name": "https://github.com/parse-community/parse-server/pull/10406", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/pull/10407", "name": "https://github.com/parse-community/parse-server/pull/10407", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:51:03.479Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39381", "state": "PUBLISHED", "dateUpdated": "2026-04-07T20:23:31.190Z", "dateReserved": "2026-04-06T22:06:40.515Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:51:03.479Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CBC593AE-96EC-4CD6-94A0-225E62133716", "versionEndExcluding": "8.6.75", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "505A2B01-2F11-48C8-BA71-66D6FEB856B1", "versionEndExcluding": "9.8.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "510B10D0-84FF-464C-A94F-2A81B4C82DA6", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "65C4D465-733A-464D-8BDC-BA29669CF48B", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "D125D774-F201-4028-8929-E5613205E151", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "E71F69E4-172B-4E46-B96D-FE4268E0E3B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "820B096D-053D-47A3-9E8B-65DF698221C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.8.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "A11A8DF2-F486-4E9E-A4FA-7D7417C7197A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75."}], "id": "CVE-2026-39381", "lastModified": "2026-04-15T15:57:20.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:32.790", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10406"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10407"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.8.0-alpha.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,8.6.75)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-07T22:17:15.692380+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 9.8.0-alpha.7 or 8.6.75 or newer", "Verify that the /sessions/me endpoint no longer returns protected fields", "Review and enforce protectedFields configuration in deployment", "Monitor authenticated session activity for unusual data exposure"], "summary": {"action": "Apply Patch", "impact": "Sensitive Session Data Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the parse-community:parse-server product, affecting all installations running versions before 9.8.0-alpha.7 and 8.6.75. Updating to those releases or later eliminates the issue.", "description_and_impact": "Parse Server, an open-source backend for Node.js, contains an endpoint that returns session information. The /sessions/me route improperly exposes fields that the server operator has marked as protected, allowing any authenticated user to retrieve sensitive data they should not see. This flaw can lead to disclosure of confidential session details and compromise the integrity of the session data, but does not allow a user to access other users\u2019 sessions.", "risk_and_exploitability": "With a CVSS score of 5.3 the flaw is considered moderate in severity. An attacker only needs to be authenticated against the application to exploit it, and no remote code execution or denial of service is possible. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting the threat of widespread exploitation is limited at present. The remedy is straightforward: upgrade to the fixed versions."}}}}, "created": "2026-04-08T19:34:31.804867+00:00", "updated": "2026-04-08T19:46:02.117869+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}