CVE-2026-30967

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.22	Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9	Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8::::node.js::*

History

No history.

Information

Published : 2026-03-10 21:16

Updated : 2026-03-11 19:04

NVD link : CVE-2026-30967

Mitre link : CVE-2026-30967

CVE.ORG link : CVE-2026-30967

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-287

Improper Authentication

{"id": "CVE-2026-30967", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T21:16:49.183", "references": [{"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.9. y 8.6.22, el adaptador de autenticaci\u00f3n OAuth2, cuando se configura sin la opci\u00f3n useridField, solo verifica que un token est\u00e1 activo a trav\u00e9s del endpoint de introspecci\u00f3n de tokens del proveedor, pero no verifica que el token pertenezca al usuario identificado por authData.id. Un atacante con cualquier token OAuth2 v\u00e1lido del mismo proveedor puede autenticarse como cualquier otro usuario. Esto afecta a cualquier despliegue de Parse Server que utiliza el adaptador de autenticaci\u00f3n OAuth2 gen\u00e9rico (configurado con oauth2: true) sin establecer la opci\u00f3n useridField. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.9. y 8.6.22."}], "lastModified": "2026-03-11T19:04:03.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E4334283-632F-4889-B492-A8ED94F505EA", "versionEndExcluding": "8.6.22"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D", "versionEndExcluding": "9.5.2", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "601B2CF1-D29A-42CC-8405-185C1A8E1EB2"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BC9F2B9D-026F-454B-B565-05AA441FA54F"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FDDB20F1-F6A7-4B1E-B075-CC250613D826"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CA14D0B7-B952-4C4E-B271-3EBB51C03E9C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "19B7C5A9-B59A-4A47-B4F0-13C7C796B496"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0E619B8B-BC91-4F71-B84D-52E563AB8E03"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}