Improper Authentication in Parse Server - CVE-2026-30967

 

Improper Authentication in Parse Server - CVE-2026-30967

Published: April 6, 2026


Vulnerability identifier: #VU124985
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-30967
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote user to authenticate as any other user.

The vulnerability exists due to improper authentication in the OAuth2 authentication adapter when validating tokens through the provider's token introspection endpoint without verifying that the token belongs to the user identified by authData.id. A remote user can present any valid OAuth2 token from the same provider to authenticate as any other user.

This affects deployments using the generic OAuth2 authentication adapter with oauth2 enabled when the useridField option is not set.


How to mitigate CVE-2026-30967

Install security update from vendor's website.

Sources