CVE-2026-30863
EUVD-2026-1017207.03.2026, 17:15
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| parseplatform | parse-server | 𝑥 < 8.6.10 |
| parseplatform | parse-server | 9.0.0 ≤ 𝑥 < 9.5.0 |
| parseplatform | parse-server | 9.5.0:alpha1 |
| parseplatform | parse-server | 9.5.0:alpha10 |
| parseplatform | parse-server | 9.5.0:alpha2 |
| parseplatform | parse-server | 9.5.0:alpha3 |
| parseplatform | parse-server | 9.5.0:alpha4 |
| parseplatform | parse-server | 9.5.0:alpha5 |
| parseplatform | parse-server | 9.5.0:alpha6 |
| parseplatform | parse-server | 9.5.0:alpha7 |
| parseplatform | parse-server | 9.5.0:alpha8 |
| parseplatform | parse-server | 9.5.0:alpha9 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.