CVE-2026-32269
Received Received - Intake
OAuth2 App ID Validation Bypass in Parse Server

Publication date: 2026-03-12

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32269
EUVD
EUVD-2026-11696
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server From 8.0.2 (inc) to 8.6.39 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-683 The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to a fixed version where the issue is resolved.

  • Upgrade to Parse Server version 9.6.0-alpha.13 or later if you are using the 9.x.x branch.
  • Upgrade to Parse Server version 8.6.39 or later if you are using the 8.x.x branch.

These versions fix the OAuth2 adapter app ID validation by correcting the parameter order to ensure the correct access token is sent to the token introspection endpoint.

No known workarounds exist, so upgrading is the recommended immediate action.

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32269 is a vulnerability in the OAuth2 authentication adapter of Parse Server versions prior to 9.6.0-alpha.13 and 8.6.39 when configured with both appidField and appIds. During app ID validation, the adapter sends a malformed value to the token introspection endpoint instead of the user's actual access token due to a parameter misalignment caused by a function call with arguments in the wrong order."}, {'type': 'paragraph', 'content': 'Depending on how the introspection endpoint responds to this malformed token, the vulnerability can either cause all OAuth2 logins to fail or allow authentication from unauthorized app contexts if the endpoint accepts the malformed token as valid.'}, {'type': 'paragraph', 'content': 'This issue affects deployments using the OAuth2 adapter with the specified configuration and requires no privileges or user interaction to exploit, but has a high attack complexity and is network-based.'}] [3]

Impact Analysis

The vulnerability can impact you in two main ways depending on the behavior of the token introspection endpoint:

  • It may cause all OAuth2 logins to fail, disrupting authentication for users.
  • Alternatively, it may allow authentication from disallowed or unauthorized app contexts if the introspection endpoint accepts the malformed token as valid, potentially leading to unauthorized access.

The impact on confidentiality and integrity is considered low, and there is no impact on availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32269. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart