Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.
Published: 2026-03-07
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

Parse Server’s Google, Apple, and Facebook authentication adapters validate identity tokens using JWT verification, but when the adapter’s audience configuration option is unset, the verification routine silently skips checking the audience claim. This omission means a validly signed JWT issued for a different application can be accepted, allowing an attacker to authenticate as any user on the target Parse Server and gain full access to the server’s resources.

Affected Systems

The vulnerability applies to Parse Server deployments that use the default Google, Apple, or Facebook authentication adapters without explicitly setting the audience value. Releases older than 8.6.10 or 9.5.0‑alpha.11 are affected; those versions and later contain the fix.

Risk and Exploitability

The CVSS score of 9.3 classifies the flaw as critical, and the EPSS score of < 1 % indicates a very low but non‑zero probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending a crafted authentication request to the Parse Server endpoint that contains a validly signed JWT issued for another application. The attacker only needs a correctly signed token and does not require additional privileges. Based on the description, it is inferred that the attack vector is network‑based and relies on the standard authentication mechanism of Parse Server.

Generated by OpenCVE AI on April 18, 2026 at 09:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Parse Server to version 8.6.10 or later, or to 9.5.0‑alpha.11 or newer where the fix is included.
  • If an immediate upgrade is not feasible, configure the authentication adapters to supply the correct audience value: set clientId for Google and Apple, and appIds for Facebook, ensuring that audience validation is performed.
  • After applying the patch or configuration change, monitor authentication logs for abnormal activity and restrict exposure of the authentication endpoint to trusted networks.

Generated by OpenCVE AI on April 18, 2026 at 09:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x6fw-778m-wr9v Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
History

Tue, 10 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
Weaknesses CWE-863
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Sat, 07 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.
Title Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:25:24.090Z

Reserved: 2026-03-05T21:27:35.342Z

Link: CVE-2026-30863

cve-icon Vulnrichment

Updated: 2026-03-09T16:43:53.833Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T17:15:54.137

Modified: 2026-03-10T16:50:58.427

Link: CVE-2026-30863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses