CVE-2026-27804
Received Received - Intake
JWT None Algorithm Bypass in Parse Server Google Authentication

Publication date: 2026-02-26

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-04
Generated
2026-05-27
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-25
NVD
CVE-2026-27804
EUVD
EUVD-2026-8774
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
parseplatform parse-server to 8.6.3 (exc)
parseplatform parse-server From 9.0.0 (inc) to 9.3.1 (exc)
parseplatform parse-server 9.3.1
parseplatform parse-server 9.3.1
parseplatform parse-server 9.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-27804 is a critical security vulnerability in the Parse Server\'s Google authentication adapter. The issue arises because the server previously trusted the algorithm specified in the JWT (JSON Web Token) header during verification. An attacker can exploit this by forging a Google authentication token with the algorithm set to "none", which bypasses signature verification. This allows the attacker to log in as any user linked to a Google account without knowing their credentials.'}, {'type': 'paragraph', 'content': "The vulnerability is caused by algorithm confusion, where the server accepts tokens with manipulated or missing signatures due to trusting the JWT header's algorithm field. The fix hardcodes the expected JWT algorithm to RS256 during token verification, ignoring the algorithm declared in the token header, and replaces the custom key fetcher with a more secure one that rejects unknown key IDs."}] [1, 3, 4]


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows an unauthenticated attacker to perform a full account takeover by forging authentication tokens. The attacker can log in as any user linked to a Google account without needing their credentials, leading to unauthorized access and potential modification of user data.

The attack can be performed remotely over the network with low complexity and no user interaction required, making it highly exploitable. The impacts include high confidentiality and integrity breaches, as attackers gain unauthorized access to user accounts and can potentially manipulate data.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves the acceptance of forged JWT tokens with the algorithm field set to "none" in the Google authentication adapter of Parse Server. Detection involves identifying attempts to authenticate using JWT tokens that specify an insecure or no algorithm (e.g., "alg:none").'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor authentication logs for JWT tokens with the "alg:none" header or tokens that fail signature verification but are still accepted.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to JWT token verification, you can use commands or scripts to decode JWT tokens and inspect their headers for the "alg" field set to "none".'}, {'type': 'list_item', 'content': 'Use a command-line tool like `jq` and `base64` to decode JWT headers from logs or intercepted tokens: `echo \'<jwt_token>\' | cut -d \'.\' -f1 | base64 -d | jq \'.\'` and check the "alg" field.'}, {'type': 'list_item', 'content': 'Search your server logs for tokens containing "alg":"none" using grep: `grep -r \'"alg":"none"\' /path/to/logs`.'}, {'type': 'list_item', 'content': 'Implement or review unit tests similar to those added in the Parse Server codebase that reject tokens with "alg:none" to verify your system\'s JWT verification behavior.'}] [1, 3]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade Parse Server to version 8.6.3 or later (including 9.1.1-alpha.4 and above), where the vulnerability is fixed by hardcoding the JWT verification algorithm to RS256 and replacing the custom key fetcher with a secure implementation.

If upgrading immediately is not possible, the recommended workaround is to disable Google authentication in your Parse Server deployment until the patch can be applied.

Ensure that your JWT verification process does not trust the algorithm specified in the JWT header and enforces the use of RS256 algorithm explicitly.

  • Upgrade Parse Server to version 8.6.3 or 9.1.1-alpha.4 or later.
  • Temporarily disable Google authentication if upgrading is not feasible immediately.
  • Review and apply patches that hardcode the JWT algorithm to RS256 and use the jwks-rsa library for key fetching.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart