Executive Summary

CVE-2026-30863 is a critical vulnerability in the Google, Apple, and Facebook authentication adapters of the Parse Server. These adapters use JWT (JSON Web Token) verification to validate identity tokens. The vulnerability occurs when the audience configuration option (clientId for Google and Apple, appIds for Facebook) is not set. In this case, the JWT verification process silently skips validation of the audience claim.

This flaw allows an attacker to use a valid JWT issued for a different application to authenticate as any user on the target Parse Server, effectively bypassing proper authentication checks.

For Google and Apple, the vulnerability is exploitable only if the server does not configure the clientId. For Facebook, the issue affects the Limited Login flow regardless of configuration because the adapter never passes appIds as the audience to JWT verification in this path.

The vulnerability has been patched in Parse Server versions 8.6.10 and 9.5.0-alpha.11 by making clientId and appIds mandatory and enforcing audience claim validation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to authenticate as any user on the target Parse Server by using a valid JWT issued for a different application. This means unauthorized access to user accounts and potentially sensitive data.

The impact includes a high risk to confidentiality and integrity of the system, as attackers can impersonate users without needing any privileges or user interaction.

Because the attack vector is network-based and requires low complexity, it can be exploited remotely and easily, increasing the risk of compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking the configuration of the Parse Server authentication adapters for Google, Apple, and Facebook.'}, {'type': 'paragraph', 'content': 'Specifically, verify if the audience configuration options are set: `clientId` for Google and Apple adapters, and `appIds` for the Facebook adapter.'}, {'type': 'paragraph', 'content': 'If these options are missing or not properly configured, the server is vulnerable because JWT audience claim validation is skipped.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include inspecting the Parse Server configuration files or environment variables where these adapters are set up.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to search for `clientId` and `appIds` in your configuration files, for example: `grep -r "clientId" /path/to/parse-server/config`'}, {'type': 'list_item', 'content': 'Check running Parse Server environment variables or startup scripts for these parameters.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring authentication logs for tokens accepted without proper audience validation could indicate exploitation attempts, but no specific commands are provided.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Parse Server to versions 8.6.10 or 9.5.0-alpha.11 or later, where the vulnerability is patched.

If immediate upgrade is not possible, for Google and Apple adapters, configure the `clientId` option to enforce audience claim validation even on unpatched versions.

For Facebook authentication, especially the Limited Login flow, no workaround exists other than upgrading to a patched version.

Ensuring these configuration options are set correctly aligns with existing documentation and prevents attackers from authenticating as arbitrary users.

Useful 0 Not Useful 0