CVE-2026-30967
OAuth2 Token Validation Bypass in Parse Server Authentication
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.5.2 (exc) |
| parseplatform | parse-server | to 8.6.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
This vulnerability exists in Parse Server's OAuth2 authentication adapter when it is configured without the useridField option. In such cases, the adapter only checks if an OAuth2 token is active by verifying it through the provider's token introspection endpoint, but it does not confirm that the token actually belongs to the user identified by authData.id.
As a result, an attacker who has any valid OAuth2 token from the same provider can use that token to authenticate as any other user, effectively impersonating them.
This issue affects any Parse Server deployment using the generic OAuth2 authentication adapter with oauth2: true and without setting the useridField option. The vulnerability was fixed in versions 9.5.2-alpha.9 and 8.6.22.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to impersonate any user in a Parse Server deployment that uses the affected OAuth2 authentication adapter configuration.
By authenticating as other users without proper authorization, the attacker could gain unauthorized access to sensitive data, perform actions on behalf of other users, and potentially compromise the integrity and confidentiality of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.9 or later, or 8.6.22 or later.
Alternatively, if upgrading is not immediately possible, ensure that the OAuth2 authentication adapter is configured with the useridField option set. This ensures that the token is verified to belong to the user identified by authData.id, preventing attackers from authenticating as other users with any valid token.