Platform
nodejs
Component
parse-server
Fixed in
9.0.1
7.0.1
9.8.0-alpha.7
CVE-2026-39381 is an information disclosure vulnerability affecting Parse Server. An authenticated user can bypass intended security measures by retrieving protected session fields through the /sessions/me endpoint. This vulnerability impacts versions prior to 9.8.0-alpha.7 and is resolved by upgrading to the patched version.
This vulnerability allows authenticated users to access sensitive data that should be protected by the server operator. The /sessions/me endpoint, designed for retrieving a user's session information, fails to properly enforce the protectedFields server configuration. Attackers can exploit this to extract session data, potentially revealing user-specific information or other sensitive details configured as protected. While the /sessions and /sessions/:objectId endpoints correctly handle protected fields, the /sessions/me endpoint remains vulnerable, creating a bypass for authenticated users.
CVE-2026-39381 was publicly disclosed on 2026-04-07. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the vulnerability's simplicity suggests it could be easily exploited once a PoC is developed. The vulnerability's impact is limited to authenticated users, reducing the overall attack surface.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Parse Server to version 9.8.0-alpha.7 or later. This version includes a fix that re-fetches the session with the caller's authentication context, ensuring that protectedFields and CLP (Cloud Logic Permissions) are consistently applied across all session endpoints. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the /sessions/me endpoint or implementing additional authentication checks. After upgrading, confirm the fix by attempting to retrieve protected fields via the /sessions/me endpoint with an authenticated user – the fields should be properly masked.
Update Parse Server to version 9.8.0-alpha.7 or higher, or to version 8.6.75 or higher. This update fixes the vulnerability by ensuring that protected fields are not exposed through the /sessions/me endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39381 is a vulnerability in Parse Server where authenticated users can retrieve their session's protected fields via the /sessions/me endpoint, bypassing intended security measures.
You are affected if you are running Parse Server versions prior to 9.8.0-alpha.7 and utilize the protectedFields feature.
Upgrade Parse Server to version 9.8.0-alpha.7 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the official Parse Server documentation and security advisories for detailed information and updates regarding CVE-2026-39381.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.