Security Flaw in Parse Server's OAuth2 Authentication Adapter Affects User Authentication
CVE-2026-30967

7.6HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
10 March 2026

What is CVE-2026-30967?

The OAuth2 authentication adapter in Parse Server, when not configured with the useridField option, allows any valid OAuth2 token from the same provider to authenticate as any user. This bypass means that an attacker can exploit the authentication system, gaining unauthorized access without proper verification of the user identity linked to the token. This vulnerability is particularly critical for deployments using OAuth2 without the necessary safeguards in place, affecting user confidentiality and system integrity.

Affected Version(s)

parse-server >= 9.0.0 < 9.5.2-alpha.9 < 9.0.0 9.5.2-alpha.9

parse-server < 8.6.22 < 8.6.22

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.