Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the oauth2: true flag are affected. This vulnerability is fixed in 9.6.0-alpha.11 and 8.6.37.
Published: 2026-03-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

The vulnerability is a race condition (CWE‑362) caused by Parse Server’s OAuth2 adapter exporting a singleton instance across all OAuth2 provider configurations. When concurrent authentication requests for different providers occur, token validation may use another provider’s configuration, allowing a token that should be rejected by one provider to be accepted under a different provider’s policy. This results in an authentication bypass that could let an attacker obtain access or elevated privileges.

Affected Systems

Affected deployments are those running parse-community:parse-server versions older than 8.6.37 or 9.6.0‑alpha.11. Specifically, all releases prior to 8.6.37 and alpha releases alpha1 through alpha10 of 9.6.0 are impacted. Systems configured with multiple OAuth2 providers via the oauth2: true flag are vulnerable, as the singleton is reused across providers. The CPE list identifies affected packages such as parse-platform:parse-server with unspecified or alpha10 versions.

Risk and Exploitability

The issue carries a CVSS score of 9.1 (High) and an EPSS score of less than 1%, indicating low current exploitation probability. It is not listed in the CISA KEV catalog. The likely attack vector is remote authentication through the OAuth2 endpoint; an attacker could trigger concurrent requests to provoke the race condition and achieve credential bypass. Prompt remediation is required to mitigate this significant risk.

Generated by OpenCVE AI on March 18, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Parse Server patch version 8.6.37 or 9.6.0‑alpha.11 to eliminate the shared singleton state.
  • If a patch cannot be applied immediately, restrict the Parse Server deployment to a single OAuth2 provider or disable the oauth2: true flag for all but one provider until the issue can be resolved.

Generated by OpenCVE AI on March 18, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2cjm-2gwv-m892 Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
History

Fri, 13 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the oauth2: true flag are affected. This vulnerability is fixed in 9.6.0-alpha.11 and 8.6.37.
Title Parse Server OAuth2 adapter shares mutable state across providers via singleton instance
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:20:14.597Z

Reserved: 2026-03-11T14:47:05.685Z

Link: CVE-2026-32242

cve-icon Vulnrichment

Updated: 2026-03-12T20:20:10.369Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T19:16:19.230

Modified: 2026-03-13T16:57:55.797

Link: CVE-2026-32242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:00Z

Weaknesses