Main Vulnerability Database Vulnerabilities #VU124985

#VU124985 Improper Authentication in Parse Server - CVE-2026-30967

Published: April 6, 2026

Vulnerability identifier: #VU124985

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-30967

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote user to authenticate as any other user.

The vulnerability exists due to improper authentication in the OAuth2 authentication adapter when validating tokens through the provider's token introspection endpoint without verifying that the token belongs to the user identified by authData.id. A remote user can present any valid OAuth2 token from the same provider to authenticate as any other user.

This affects deployments using the generic OAuth2 authentication adapter with oauth2 enabled when the useridField option is not set.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596

#VU124985 Improper Authentication in Parse Server - CVE-2026-30967

Description

Remediation

External links

Please verify you're human