OAuth2 Authentication Issue in Parse Server by Parse Community
CVE-2026-32242

9.1CRITICAL

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
12 March 2026

What is CVE-2026-32242?

Parse Server, a versatile open-source backend solution for Node.js, contains a vulnerability in its OAuth2 authentication mechanism. This flaw arises from the usage of a shared singleton instance across multiple OAuth2 provider configurations, leading to conflicts during concurrent authentication requests. Specifically, the validation of a token intended for one provider may inadvertently occur using the configuration of another provider, thereby risking the acceptance of an invalid token. This issue impacts deployments utilizing the 'oauth2: true' flag with multiple OAuth2 providers configured. Users should upgrade to the latest versions, specifically 9.6.0-alpha.11 or 8.6.37, to mitigate this vulnerability.

Affected Version(s)

parse-server >= 9.0.0 < 9.6.0-alpha.11 < 9.0.0 9.6.0-alpha.11

parse-server < 8.6.37 < 8.6.37

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.