Main Vulnerability Database SB2026040770

SB2026040770 - Improper Authentication in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040770

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authentication (CVE-ID: CVE-2026-30967)

The vulnerability allows a remote user to authenticate as any other user.

The vulnerability exists due to improper authentication in the OAuth2 authentication adapter when validating tokens through the provider's token introspection endpoint without verifying that the token belongs to the user identified by authData.id. A remote user can present any valid OAuth2 token from the same provider to authenticate as any other user.

This affects deployments using the generic OAuth2 authentication adapter with oauth2 enabled when the useridField option is not set.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596