Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Parse Server allows unauthorized access to user accounts
CVE-2026-30949
GHSA-48mh-j4p5-7j9v
GHSA-48mh-j4p5-7j9v
Summary
A security issue in Parse Server's Keycloak adapter lets attackers use a valid access token from one app to access any user account on another app using the same Keycloak realm. All Parse Server users who use Keycloak authentication with multiple client apps in the same realm should update to a patched version of Parse Server to fix this issue.
What to do
- Update parse-server to version 9.5.2-alpha.5.
- Update parse-server to version 8.6.18.
- Update parse to version 9.5.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0 , <= 9.5.2-alpha.5 | 9.5.2-alpha.5 |
| – | parse-server | <= 8.6.18 | 8.6.18 |
| parseplatform | parse-server | <= 8.6.18 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| parseplatform | parse-server | 9.5.2 | – |
| – | parse | > 9.0.0 , <= 9.5.2 | 9.5.2 |
Original title
Parse Server is missing audience validation in Keycloak authentication adapter
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18.
nvd CVSS4.0
7.6
Vulnerability type
CWE-287
Improper Authentication
- https://github.com/parse-community/parse-server/releases/tag/8.6.18
- https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
- https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4...
- https://nvd.nist.gov/vuln/detail/CVE-2026-30949
- https://github.com/advisories/GHSA-48mh-j4p5-7j9v
- https://github.com/parse-community/parse-server Product
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026