CVE-2026-30965
Published: 10 March 2026
Summary
CVE-2026-30965 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the Parse Server query handling vulnerability, preventing session token exfiltration through patching to fixed versions.
Enforces validation of query inputs such as redirectClassNameForKey to block exploitation that allows exfiltration of other users' session tokens.
Mandates enforcement of approved authorizations, countering the incorrect authorization in relation field handling that enables session token theft.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public Parse Server backend (CWE-863 authz bypass on session queries) directly enables remote exploitation of a public-facing app (T1190) to steal application session tokens (T1528) for impersonation/account takeover.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens…
more
of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
Deeper analysisAI
CVE-2026-30965 is a high-severity vulnerability (CVSS 9.1) in Parse Server, an open-source backend platform deployable on any Node.js-compatible infrastructure. It affects versions prior to 9.5.2-alpha.8 and 8.6.21, stemming from flawed query handling in the redirectClassNameForKey parameter (CWE-863: Incorrect Authorization). This flaw enables attackers to exfiltrate session tokens belonging to other users, potentially leading to full account takeover.
An authenticated or unauthenticated attacker can exploit this by creating or updating an object with a new relation field, provided the targeted class's Class-Level Permissions (CLPs) allow such operations. Successful exploitation grants remote network access with low complexity, no privileges, and no user interaction required, resulting in high confidentiality and integrity impacts through stolen session tokens that can impersonate victims.
The Parse community addressed this in releases 8.6.21 and 9.5.2-alpha.8, as detailed in the GitHub security advisory GHSA-6r2j-cxgf-495f and corresponding release notes. Security practitioners should upgrade to these patched versions immediately and review CLPs to restrict object creation or updates involving relation fields.
Details
- CWE(s)