CVE-2026-30965: Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
A vulnerability in Parse Server’s query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts.
The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class.
References
- github.com/advisories/GHSA-6r2j-cxgf-495f
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.21
- github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8
- github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f
- nvd.nist.gov/vuln/detail/CVE-2026-30965
Code Behaviors & Features
Detect and mitigate CVE-2026-30965 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →