CVE-2026-30949
Received Received - Intake
Authorization Bypass in Parse Server Keycloak Adapter Enables Account Takeover

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30949
EUVD
EUVD-2026-10868
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

This vulnerability affects the Parse Server's Keycloak authentication adapter. Before versions 9.5.2-alpha.5 and 8.6.18, the adapter does not properly validate the 'azp' (authorized party) claim in Keycloak access tokens against the configured client-id.

As a result, an access token issued by the same Keycloak realm but for a different client application can be used to authenticate as any user on the Parse Server that uses this Keycloak adapter.

This flaw enables cross-application account takeover in environments where the Keycloak realm has multiple client applications.

Impact Analysis

The vulnerability allows an attacker to use a valid access token from one client application to impersonate any user on the Parse Server that uses the Keycloak adapter.

This can lead to unauthorized access to user accounts across different client applications within the same Keycloak realm, resulting in potential data breaches, unauthorized actions, and loss of user trust.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.5 or later, or 8.6.18 or later, where the Keycloak authentication adapter properly validates the azp (authorized party) claim of Keycloak access tokens.

Ensure that your Keycloak realm configuration and client applications are reviewed to prevent cross-application account takeover by enforcing proper token validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart