Main Vulnerability Database Vulnerabilities #VU125003

#VU125003 Function Call With Incorrect Order of Arguments in Parse Server - CVE-2026-32269

Published: April 6, 2026

Vulnerability identifier: #VU125003

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-32269

CWE-ID: CWE-683

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to bypass app ID restrictions during OAuth2 authentication.

The vulnerability exists due to function call with incorrect order of arguments in the OAuth2 authentication adapter app ID validation method when validating app IDs with configured appidField and appIds. A remote attacker can trigger OAuth2 authentication with a malformed introspection request to bypass app ID restrictions during OAuth2 authentication.

Deployments are affected only when the OAuth2 adapter is used with both appidField and appIds configured.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2

#VU125003 Function Call With Incorrect Order of Arguments in Parse Server - CVE-2026-32269

Description

Remediation

External links

Please verify you're human