The vulnerability originates from improper validation of application identifiers when the OAuth2 adapter is configured with appidField and appIds. As noted in the vendor description, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. This could result in either a universal login failure or, if the introspection endpoint returns valid-looking data for the malformed request, unauthorized authentication from disallowed app contexts, effectively bypassing intended access controls. The weakness is reflected in CWE-683, indicating misuse of data that can compromise authentication integrity.

Affected deployments use Parse Server (parse-community:parse-server) equipped with the OAuth2 adapter and configured with appidField and appIds. Versions prior to 9.6.0-alpha.13 and 8.6.39 are vulnerable, as specified by the release advisory and the CPE list, including multiple alpha releases of 9.6.0 and the 8.6.39 release.

Given the CVSS score of 6.3, the vulnerability is considered medium severity. The EPSS score is less than 1%, indicating a low probability of exploitation in the general population, and it is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a network-based OAuth2 login attempt where the attacker can provide crafted app ID values. Successful exploitation could allow bypass of authentication controls for the affected application context, potentially granting unauthorized access to protected resources.