CVE-2026-32742: Parse Server session creation endpoint allows overwriting server-generated session fields
An authenticated user can overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session object via POST /classes/_Session. This allows bypassing the server’s session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-32742 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →