CVE-2026-30967

March 11, 2026, 7:04 p.m.

7.6
High

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.

Product(s) Impacted

Vendor Product Versions
Parseplatform
  • Parse-server
  • *, 9.5.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a parseplatform parse-server / / / / / node.js / /
a parseplatform parse-server / / / / / node.js / /
a parseplatform parse-server 9.5.2 alpha1 / / / node.js / /
a parseplatform parse-server 9.5.2 alpha2 / / / node.js / /
a parseplatform parse-server 9.5.2 alpha3 / / / node.js / /
a parseplatform parse-server 9.5.2 alpha4 / / / node.js / /
a parseplatform parse-server 9.5.2 alpha5 / / / node.js / /
a parseplatform parse-server 9.5.2 alpha6 / / / node.js / /
a parseplatform parse-server 9.5.2 alpha7 / / / node.js / /
a parseplatform parse-server 9.5.2 alpha8 / / / node.js / /

References

https://github.com/parse-community/parse-server/releases/tag/8.6.22
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9
https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596

Tags

[email protected]
CWE-287
2026-03-10
CVE-2026-30967

CVSS Score

7.6 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: March 10, 2026, 9:16 p.m.
Last Modified: March 11, 2026, 7:04 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.