CVE-2026-32269
OAuth2 App ID Validation Bypass in Parse Server
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | From 8.0.2 (inc) to 8.6.39 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-683 | The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Parse Server deployment to a fixed version where the issue is resolved.
- Upgrade to Parse Server version 9.6.0-alpha.13 or later if you are using the 9.x.x branch.
- Upgrade to Parse Server version 8.6.39 or later if you are using the 8.x.x branch.
These versions fix the OAuth2 adapter app ID validation by correcting the parameter order to ensure the correct access token is sent to the token introspection endpoint.
No known workarounds exist, so upgrading is the recommended immediate action.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32269 is a vulnerability in the OAuth2 authentication adapter of Parse Server versions prior to 9.6.0-alpha.13 and 8.6.39 when configured with both appidField and appIds. During app ID validation, the adapter sends a malformed value to the token introspection endpoint instead of the user's actual access token due to a parameter misalignment caused by a function call with arguments in the wrong order."}, {'type': 'paragraph', 'content': 'Depending on how the introspection endpoint responds to this malformed token, the vulnerability can either cause all OAuth2 logins to fail or allow authentication from unauthorized app contexts if the endpoint accepts the malformed token as valid.'}, {'type': 'paragraph', 'content': 'This issue affects deployments using the OAuth2 adapter with the specified configuration and requires no privileges or user interaction to exploit, but has a high attack complexity and is network-based.'}] [3]
How can this vulnerability impact me? :
The vulnerability can impact you in two main ways depending on the behavior of the token introspection endpoint:
- It may cause all OAuth2 logins to fail, disrupting authentication for users.
- Alternatively, it may allow authentication from disallowed or unauthorized app contexts if the introspection endpoint accepts the malformed token as valid, potentially leading to unauthorized access.
The impact on confidentiality and integrity is considered low, and there is no impact on availability.