Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.
Published: 2026-02-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via forged JWT tokens
Action: Immediate Patch
AI Analysis

Impact

Parse Server lets attackers forge a Google authentication token by setting the JWT header "alg" to "none". This bypasses signature verification, allowing the attacker to log in as any user whose Google account is linked to the Parse Server instance, even without knowing the user’s credentials. The weakness is a classic algorithm confusion flaw, mapped to CWE‑327 and CWE‑345.

Affected Systems

All deployments of parse‑server by the Parse Community that have Google authentication enabled are affected. Versions prior to 8.6.3 and 9.1.1‑alpha.4, regardless of sub‑release, are vulnerable. The issue exists in Node.js environments running Parse Server on any infrastructure that hosts the application.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating a high severity impact. The EPSS score is below 1%, suggesting a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it remotely by crafting a JWT with "alg":"none" and sending it to the Parse Server’s authentication endpoint, requiring only network access to the application and no prior credentials.

Generated by OpenCVE AI on April 17, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.3 or newer, or to 9.1.1‑alpha.4 if using a 9.x release. This fix hardcodes the expected RS256 algorithm and replaces the custom key fetcher with jwks‑rsa, rejecting unknown key IDs.
  • If upgrading is not immediately possible, temporarily disable Google authentication in your Parse Server configuration to prevent the vulnerability from being exploitable.
  • After deploying, monitor authentication logs for anomalous login attempts that might indicate exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4q3h-vp4r-prv2 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
History

Wed, 04 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha3:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Sat, 28 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Thu, 26 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.
Title Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Weaknesses CWE-327
CWE-345
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T17:03:50.903Z

Reserved: 2026-02-24T02:31:33.266Z

Link: CVE-2026-27804

cve-icon Vulnrichment

Updated: 2026-02-26T17:03:36.283Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:25.793

Modified: 2026-03-04T03:09:41.600

Link: CVE-2026-27804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses