Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Parse Server's OAuth2 Login Fails or Allows Unauthorized Access
CVE-2026-32269
GHSA-69xg-f649-w5g2
Summary
Older versions of Parse Server's OAuth2 login feature can incorrectly validate app IDs, potentially causing all logins to fail or allowing unauthorized access. If you're using the OAuth2 adapter, update to version 9.6.0-alpha.13 or 8.6.39 to fix the issue.
What to do
- Update parse-server to version 9.6.0-alpha.13.
- Update parse-server to version 8.6.39.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| parseplatform | parse-server | > 8.0.2 , <= 8.6.39 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| parseplatform | parse-server | 9.6.0 | – |
| – | parse-server | > 9.0.0 , <= 9.6.0-alpha.13 | 9.6.0-alpha.13 |
| – | parse-server | > 8.0.2 , <= 8.6.39 | 8.6.39 |
Original title
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
Original description
### Impact
The OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.
Deployments using the OAuth2 adapter with `appidField` and `appIds` configured are affected.
### Patches
The fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.
### Workarounds
There is no known workaround.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2
- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39
The OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.
Deployments using the OAuth2 adapter with `appidField` and `appIds` configured are affected.
### Patches
The fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.
### Workarounds
There is no known workaround.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2
- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39
nvd CVSS4.0
6.3
Vulnerability type
CWE-683
- https://github.com/parse-community/parse-server/releases/tag/8.6.39
- https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f6...
- https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
- https://nvd.nist.gov/vuln/detail/CVE-2026-32269
- https://github.com/advisories/GHSA-69xg-f649-w5g2
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026