CVE-2026-30965 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 11, 2026
Parse Server - Broken Access Control
Published: March 10, 2026Updated: March 11, 2026Remote Exploitable
Overview
Parse Server < 9.5.2-alpha.8 and < 8.6.21 contains an information disclosure vulnerability caused by improper handling of the redirectClassNameForKey query parameter, letting authenticated or unauthenticated attackers exfiltrate session tokens, exploit requires ability to create or update an object with a new relation field depending on Class-Level Permissions.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can exfiltrate session tokens and take over user accounts, leading to account compromise.
Mitigation
Update to version 9.5.2-alpha.8 or 8.6.21 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-30965
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N