CVE-2026-32242
OAuth2 Token Validation Flaw in Parse Server Causes Authentication Bypass
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | to 8.6.37 (exc) |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32242 is a critical vulnerability in Parse Server's built-in OAuth2 authentication adapter. The adapter exports a singleton instance that is shared across all OAuth2 provider configurations. When multiple OAuth2 providers are configured and concurrent authentication requests occur, one provider's token validation may incorrectly use another provider's configuration. This can cause a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy."}, {'type': 'paragraph', 'content': 'The root cause is a race condition due to improper synchronization when accessing shared mutable state concurrently. The vulnerability affects deployments that configure multiple OAuth2 providers using the oauth2: true flag. The fix involves creating a new instance of the OAuth2 adapter for each provider to isolate configurations and prevent cross-provider token validation interference.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass token validation policies, potentially accepting tokens that should be rejected. This compromises the confidentiality and integrity of the authentication process.
- An attacker can gain unauthorized access by exploiting token validation across different OAuth2 providers.
- Confidential information protected by OAuth2 authentication may be exposed.
- Integrity of authentication decisions can be undermined, allowing unauthorized actions.
No privileges or user interaction are required to exploit this vulnerability, increasing its risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability arises from the Parse Server's built-in OAuth2 adapter sharing a singleton instance across multiple OAuth2 providers, causing token validation to potentially use incorrect provider configurations under concurrent requests."}, {'type': 'paragraph', 'content': 'Detection involves verifying if your Parse Server deployment is running a vulnerable version (>= 9.0.0 and < 9.6.0-alpha.11, or < 8.6.37) and if multiple OAuth2 providers are configured with the oauth2: true flag.'}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided in the resources to detect exploitation or presence of this vulnerability.'}, {'type': 'paragraph', 'content': 'A practical approach is to check the Parse Server version using commands like:'}, {'type': 'list_item', 'content': 'node -e "console.log(require(\'parse-server/package.json\').version)"'}, {'type': 'paragraph', 'content': 'and review your Parse Server configuration files to see if multiple OAuth2 providers are enabled with oauth2: true.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade your Parse Server deployment to a fixed version where this vulnerability is resolved.
- Upgrade to Parse Server version 9.6.0-alpha.11 or later if using the 9.x branch.
- Alternatively, upgrade to version 8.6.37 or later if using the 8.x branch.
If immediate upgrade is not possible, consider temporarily configuring only a single OAuth2 provider (disabling oauth2: true for multiple providers) to avoid the shared singleton instance issue.
No known workarounds exist other than upgrading or limiting to a single OAuth2 provider.