CVE-2026-39381: Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

April 8, 2026 (updated April 15, 2026)

The GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session’s protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields.

References

github.com/advisories/GHSA-g4v2-qx3q-4p64
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10406
github.com/parse-community/parse-server/pull/10407
github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
nvd.nist.gov/vuln/detail/CVE-2026-39381

Code Behaviors & Features

Detect and mitigate CVE-2026-39381 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →