The vulnerability arises because the Parse Server Keycloak authentication adapter does not verify the azp (authorized party) claim in Keycloak access tokens. A token issued for one client application can be used to authenticate as any user on the affected Parse Server, enabling cross‑application account takeover in multi‑client Keycloak realms. This flaw allows an attacker who obtains a valid token for a different client to impersonate any user on the affected Parse Server, effectively achieving account takeover without any additional privileges or access to the server itself. The weakness is a form of authentication bypass (CWE‑287).

Parse Server deployments running versions prior to 9.5.2‑alpha.5 or 8.6.18 that use the Keycloak authentication adapter and are connected to a Keycloak realm with multiple client applications are affected. The product is open‑source Parse Server, which can be deployed wherever Node.js runs.

The CVSS score of 7.6 reflects a high impact and medium exploitability. The EPSS score of less than 1 % indicates that the likelihood of public exploitation is low, and the vulnerability is not currently listed in the KEV catalog. However, an attacker who can acquire a valid Keycloak token for another client can trivially exploit the flaw by presenting the token to the Parse Server, bypassing all user‑level authentication checks. The attack vector is likely remote via signed JWT tokens, and no special privileges are required on the server side. Given the absence of a KEV listing, widespread exploitation may be limited, but the potential for internal account takeover remains significant for organizations using multi‑client Keycloak realms.