Function Call With Incorrect Order of Arguments in Parse Server - CVE-2026-32269

 

Function Call With Incorrect Order of Arguments in Parse Server - CVE-2026-32269

Published: April 6, 2026


Vulnerability identifier: #VU125003
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32269
CWE-ID: CWE-683
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass app ID restrictions during OAuth2 authentication.

The vulnerability exists due to function call with incorrect order of arguments in the OAuth2 authentication adapter app ID validation method when validating app IDs with configured appidField and appIds. A remote attacker can trigger OAuth2 authentication with a malformed introspection request to bypass app ID restrictions during OAuth2 authentication.

Deployments are affected only when the OAuth2 adapter is used with both appidField and appIds configured.


How to mitigate CVE-2026-32269

Install security update from vendor's website.

Sources