Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32242 is a critical vulnerability in Parse Server's built-in OAuth2 authentication adapter. The adapter exports a singleton instance that is shared across all OAuth2 provider configurations. When multiple OAuth2 providers are configured and concurrent authentication requests occur, one provider's token validation may incorrectly use another provider's configuration. This can cause a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy."}, {'type': 'paragraph', 'content': 'The root cause is a race condition due to improper synchronization when accessing shared mutable state concurrently. The vulnerability affects deployments that configure multiple OAuth2 providers using the oauth2: true flag. The fix involves creating a new instance of the OAuth2 adapter for each provider to isolate configurations and prevent cross-provider token validation interference.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to bypass token validation policies, potentially accepting tokens that should be rejected. This compromises the confidentiality and integrity of the authentication process.

• An attacker can gain unauthorized access by exploiting token validation across different OAuth2 providers.
• Confidential information protected by OAuth2 authentication may be exposed.
• Integrity of authentication decisions can be undermined, allowing unauthorized actions.

No privileges or user interaction are required to exploit this vulnerability, increasing its risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability arises from the Parse Server's built-in OAuth2 adapter sharing a singleton instance across multiple OAuth2 providers, causing token validation to potentially use incorrect provider configurations under concurrent requests."}, {'type': 'paragraph', 'content': 'Detection involves verifying if your Parse Server deployment is running a vulnerable version (>= 9.0.0 and < 9.6.0-alpha.11, or < 8.6.37) and if multiple OAuth2 providers are configured with the oauth2: true flag.'}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided in the resources to detect exploitation or presence of this vulnerability.'}, {'type': 'paragraph', 'content': 'A practical approach is to check the Parse Server version using commands like:'}, {'type': 'list_item', 'content': 'node -e "console.log(require(\'parse-server/package.json\').version)"'}, {'type': 'paragraph', 'content': 'and review your Parse Server configuration files to see if multiple OAuth2 providers are enabled with oauth2: true.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade your Parse Server deployment to a fixed version where this vulnerability is resolved.

• Upgrade to Parse Server version 9.6.0-alpha.11 or later if using the 9.x branch.
• Alternatively, upgrade to version 8.6.37 or later if using the 8.x branch.

If immediate upgrade is not possible, consider temporarily configuring only a single OAuth2 provider (disabling oauth2: true for multiple providers) to avoid the shared singleton instance issue.

No known workarounds exist other than upgrading or limiting to a single OAuth2 provider.

Useful 0 Not Useful 0