Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Parse Server OAuth login tokens can be used by other users
CVE-2026-30967
GHSA-fr88-w35c-r596
GHSA-fr88-w35c-r596
Summary
If your Parse Server is configured to use OAuth2 without the correct setting, an attacker with a valid login token can access any user's account. This affects Parse Server deployments using the generic OAuth2 adapter. To fix this, update to the latest version of Parse Server or set the `useridField` option to the correct field name for your OAuth provider in the authentication configuration.
What to do
- Update parse-server to version 9.5.2-alpha.9.
- Update parse-server to version 8.6.22.
- Update parse to version 9.5.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0-alpha.1 , <= 9.5.2-alpha.9 | 9.5.2-alpha.9 |
| – | parse-server | <= 8.6.22 | 8.6.22 |
| parseplatform | parse-server | <= 8.6.22 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| – | parse | > 9.0.0 , <= 9.5.2 | 9.5.2 |
Original title
Parse Server OAuth2 authentication adapter account takeover via identity spoofing
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.
nvd CVSS4.0
7.6
Vulnerability type
CWE-287
Improper Authentication
- https://github.com/parse-community/parse-server/releases/tag/8.6.22
- https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9
- https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w3...
- https://nvd.nist.gov/vuln/detail/CVE-2026-30967
- https://github.com/advisories/GHSA-fr88-w35c-r596
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30967... Vendor Advisory
- https://github.com/parse-community/parse-server Product
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026