9.6.0 (2026-03-22)

Bug Fixes

• LiveQuery regexTimeout default value not applied (#10156) (416cfbc)
• Account lockout race condition allows bypassing threshold via concurrent requests (#10266) (ff70fee)
• Account takeover via operator injection in authentication data identifier (GHSA-5fw2-8jcv-xh87) (#10185) (0d0a554)
• Add configurable batch request sub-request limit via option requestComplexity.batchRequestLimit (#10265) (164ed0d)
• Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96) (#10278) (875cf10)
• Auth provider validation bypass on login via partial authData (GHSA-pfj7-wv7c-22pr) (#10246) (98f4ba5)
• Block dot-notation updates to authData sub-fields and harden login provider checks (#10223) (12c24c6)
• Bypass of class-level permissions in LiveQuery (GHSA-7ch5-98q2-7289) (#10133) (98188d9)
• Classes _GraphQLConfig and _Audience master key bypass via generic class routes (GHSA-7xg7-rqf6-pw6c) (#10151) (1de4e43)
• Cloud function dispatch crashes server via prototype chain traversal (GHSA-4263-jgmp-7pf4) (#10210) (286373d)
• Concurrent signup with same authentication creates duplicate users (#10149) (853bfe1)
• Create CLP not enforced before user field validation on signup (#10268) (a0530c2)
• Denial of service via unindexed database query for unconfigured auth providers (GHSA-g4cf-xj29-wqqr) (#10270) (fbac847)
• Denial-of-service via unbounded query complexity in REST and GraphQL API (GHSA-cmj3-wx7h-ffvg) (#10130) (0ae9c25)
• Email verification resend page leaks user existence (GHSA-h29g-q5c2-9h4f) (#10238) (fbda4cb)
• Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v) (#10219) (5dcbf41)
• GraphQL WebSocket endpoint bypasses security middleware (GHSA-p2x3-8689-cwpg) (#10189) (3ffba75)
• Incomplete JSON key escaping in PostgreSQL Increment on nested Object fields (#10261) (a692873)
• Input type validation for query operators and batch path (#10230) (a628911)
• Instance comparison with instanceof is not realm-safe (#10225) (51efb1e)
• LDAP injection via unsanitized user input in DN and group filter construction (GHSA-7m6r-fhh7-r47c) (#10154) (5bbca7b)
• LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576) (#10250) (6c3317a)
• LiveQuery subscription query depth bypass (GHSA-6qh5-m6g3-xhq6) (#10259) (2126fe4)
• LiveQuery subscription with invalid regular expression crashes server (GHSA-827p-g5x5-h86c) (#10197) (0ae0eee)
• Locale parameter path traversal in pages router (#10242) (01fb6a9)
• MFA recovery code single-use bypass via concurrent requests (GHSA-2299-ghjr-6vjp) (#10275) (5e70094)
• MFA recovery codes not consumed after use (GHSA-4hf6-3x24-c9m8) (#10170) (18abdd9)
• Missing audience validation in Keycloak authentication adapter (GHSA-48mh-j4p5-7j9v) (#10137) (78ef1a1)
• Normalize HTTP method case in allowMethodOverride middleware (#10262) (a248e8c)
• NoSQL injection via token type in password reset and email verification endpoints (GHSA-vgjh-hmwf-c588) (#10128) (b2f2317)
• OAuth2 adapter app ID validation sends wrong token to introspection endpoint (GHSA-69xg-f649-w5g2) (#10187) (7f9f854)
• OAuth2 adapter shares mutable state across providers via singleton instance (GHSA-2cjm-2gwv-m892) (#10183) (6009bc1)
• Parse Server OAuth2 authentication adapter account takeover via identity spoofing (GHSA-fr88-w35c-r596) (#10145) (9cfd06e)
• Parse Server role escalation and CLP bypass via direct `_Join table write (GHSA-5f92-jrq3-28rc) (#10141) (22faa08)
• Parse Server session token exfiltration via redirectClassNameForKey query parameter (GHSA-6r2j-cxgf-495f) (#10143) (70b7b07)
• Password reset token single-use bypass via concurrent requests (GHSA-r3xq-68wh-gwvh) (#10216) (84db0a0)
• Protected field change detection oracle via LiveQuery watch parameter (GHSA-qpc3-fg4j-8hgm) (#10253) (0c0a0a5)
• Protected fields bypass via dot-notation in query and sort (GHSA-r2m8-pxm9-9c4g) (#10167) (8f54c54)
• Protected fields bypass via LiveQuery subscription WHERE clause (GHSA-j7mm-f4rv-6q6q) (#10175) (4d48847)
• Protected fields bypass via logical query operators (GHSA-72hp-qff8-4pvv) (#10140) (be1d65d)
• Protected fields leak via LiveQuery afterEvent trigger (GHSA-5hmj-jcgp-6hff) (#10232) (6648500)
• Query condition depth bypass via pre-validation transform pipeline (GHSA-9fjp-q3c4-6w3j) (#10257) (85994ef)
• Rate limit bypass via batch request endpoint (GHSA-775h-3xrc-c228) (#10147) (2766f4f)
• Rate limit bypass via HTTP method override and batch method spoofing (#10234) (7d72d26)
• Rate limit user zone key fallback and batch request bypass (#10214) (434ecbe)
• Revert accidental breaking default values for query complexity limits (#10205) (ab8dd54)
• Sanitize control characters in page parameter response headers (#10237) (337ffd6)
• Schema poisoning via prototype pollution in deep copy (GHSA-9ccr-fpp6-78qf) (#10200) (b321423)
• Security fix fast-xml-parser from 5.5.5 to 5.5.6 (#10235) (f521576)
• Security upgrade fast-xml-parser from 5.3.7 to 5.4.2 (#10086) (b04ca5e)
• Server crash via deeply nested query condition operators (GHSA-9xp9-j92r-p88v) (#10202) (f44e306)
• Session creation endpoint allows overwriting server-generated session fields (GHSA-5v7g-9h8f-8pgg) (#10195) (7ccfb97)
• Session token expiration unchecked on cache hit (#10194) (a944203)
• Session update endpoint allows overwriting server-generated session fields (GHSA-jc39-686j-wp6q) (#10263) (ea68fc0)
• SQL injection via Increment operation on nested object field in PostgreSQL (GHSA-q3vj-96h2-gwvg) (#10161) (8f82282)
• SQL injection via aggregate and distinct field names in PostgreSQL adapter (GHSA-p2w6-rmh7-w8q3) (#10272) (bdddab5)
• SQL injection via dot-notation field name in PostgreSQL (GHSA-qpr4-jrj4-6f27) (#10159) (ea538a4)
• SQL Injection via dot-notation sub-key name in Increment operation on PostgreSQL (GHSA-gqpp-xgvh-9h7h) (#10165) (169d692)
• SQL injection via query field name when using PostgreSQL (GHSA-c442-97qw-j6c6) (#10181) (be281b1)
• Stored cross-site scripting (XSS) via SVG file upload (GHSA-hcj7-6gxh-24ww) (#10136) (93b784d)
• Stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries (GHSA-42ph-pf9q-cr72) (#10191) (4f53ab3)
• Stored XSS via file upload of HTML-renderable file types (GHSA-v5hf-f4c3-m5rv) (#10162) (03287cf)
• User enumeration via email verification endpoint (GHSA-w54v-hf9p-8856) (#10172) (936abd4)
• Validate authData provider values in challenge endpoint (#10224) (e5e1f5b)
• Validate body field types in request middleware (#10209) (df69046)
• Validate session in middleware for non-GET requests to /sessions/me (#10213) (2a9fdab)
• Validate token type in PagesRouter to prevent type confusion errors (#10212) (386a989)

Features

• Add enableProductPurchaseLegacyApi option to disable legacy IAP validation (#10228) (622ee85)
• Add protectedFieldsOwnerExempt option to control _User class owner exemption for protectedFields (#10280) (d5213f8)
• Add X-Content-Type-Options: nosniff header and customizable response headers for files via Parse.Cloud.afterFind(Parse.File) (#10158) (28d11a3)