Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.
Published: 2026-03-10
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Identity Spoofing
Action: Patch Now
AI Analysis

Impact

The OAuth2 authentication adapter fails to verify that a token matches the user ID supplied in authData.id when the useridField option is omitted. Consequently, any attacker who possesses a valid OAuth2 token from the same provider can forge authentication requests as any target user. This flaw enables complete hijacking of user accounts, allowing unauthorized modification of personal data and access to sensitive information, and can also increase privileges if the account has elevated rights. The weakness is a classic authentication failure (CWE-287).

Affected Systems

This vulnerability affects Parse Server deployments that use the generic OAuth2 authentication adapter with oauth2:true and do not configure the useridField setting. All versions prior to 9.5.2-alpha.9 (8.x series) and prior to 8.6.22 (9.x series) are impacted. The affected environment is the open‑source Parse Server application running on Node.js.

Risk and Exploitability

The CVSS score of 7.6 indicates significant severity, while the EPSS score of <1% suggests that, up to the present, attacks are infrequent. The vulnerability is not listed in the CISA KEV catalog, so no large‑scale exploits are known. An attacker needs only a valid OAuth2 token from the provider, which may be obtained through phishing, credential stuffing, or compromised client credentials. With such a token, the attacker can send an authenticated request that bypasses identity checks and assumes the target user’s identity, leading to full account takeover and compromising protected system components that rely on OAuth2 authentication.

Generated by OpenCVE AI on April 16, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.2-alpha.9 or 8.6.22 or later, where the token’s identity is verified.
  • If an upgrade cannot be performed immediately, configure the OAuth2 adapter with the useridField option set to the field that contains the authenticated user’s ID and ensure the provider’s introspection response contains the correct user identifier.
  • Review and harden OAuth2 token handling—store tokens securely, rotate them regularly, and grant only the minimum scopes required—to reduce the likelihood that an attacker obtains a usable token.

Generated by OpenCVE AI on April 16, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fr88-w35c-r596 Parse Server OAuth2 authentication adapter account takeover via identity spoofing
History

Wed, 11 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.
Title Parse Server OAuth2 authentication adapter account takeover via identity spoofing
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:24:17.364Z

Reserved: 2026-03-07T17:53:48.815Z

Link: CVE-2026-30967

cve-icon Vulnrichment

Updated: 2026-03-11T15:24:07.202Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:49.183

Modified: 2026-03-11T19:04:03.417

Link: CVE-2026-30967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses