CVE-2026-30967 (GCVE-0-2026-30967)
Vulnerability from cvelistv5 – Published: 2026-03-10 20:46 – Updated: 2026-03-11 15:24
VLAI?
Title
Parse Server OAuth2 authentication adapter account takeover via identity spoofing
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 9.0.0 < 9.5.2-alpha.9
Affected: < 8.6.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:24:03.603972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:24:17.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0 \u003c 9.5.2-alpha.9"
},
{
"status": "affected",
"version": "\u003c 8.6.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider\u0027s token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T20:46:40.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9"
}
],
"source": {
"advisory": "GHSA-fr88-w35c-r596",
"discovery": "UNKNOWN"
},
"title": "Parse Server OAuth2 authentication adapter account takeover via identity spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30967",
"datePublished": "2026-03-10T20:46:40.222Z",
"dateReserved": "2026-03-07T17:53:48.815Z",
"dateUpdated": "2026-03-11T15:24:17.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-30967\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T21:16:49.183\",\"lastModified\":\"2026-03-11T19:04:03.417\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider\u0027s token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.\"},{\"lang\":\"es\",\"value\":\"Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.9. y 8.6.22, el adaptador de autenticaci\u00f3n OAuth2, cuando se configura sin la opci\u00f3n useridField, solo verifica que un token est\u00e1 activo a trav\u00e9s del endpoint de introspecci\u00f3n de tokens del proveedor, pero no verifica que el token pertenezca al usuario identificado por authData.id. Un atacante con cualquier token OAuth2 v\u00e1lido del mismo proveedor puede autenticarse como cualquier otro usuario. Esto afecta a cualquier despliegue de Parse Server que utiliza el adaptador de autenticaci\u00f3n OAuth2 gen\u00e9rico (configurado con oauth2: true) sin establecer la opci\u00f3n useridField. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.9. y 8.6.22.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"8.6.22\",\"matchCriteriaId\":\"E4334283-632F-4889-B492-A8ED94F505EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.2\",\"matchCriteriaId\":\"E66572ED-597B-4D8E-A636-733D463A4E4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"6521B8A9-6116-4CAE-9B5E-F22C204B1F0C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"601B2CF1-D29A-42CC-8405-185C1A8E1EB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"BC9F2B9D-026F-454B-B565-05AA441FA54F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"FDDB20F1-F6A7-4B1E-B075-CC250613D826\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"CA14D0B7-B952-4C4E-B271-3EBB51C03E9C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"19B7C5A9-B59A-4A47-B4F0-13C7C796B496\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0E619B8B-BC91-4F71-B84D-52E563AB8E03\"}]}]}],\"references\":[{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/8.6.22\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30967\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T15:24:03.603972Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T15:24:07.202Z\"}}], \"cna\": {\"title\": \"Parse Server OAuth2 authentication adapter account takeover via identity spoofing\", \"source\": {\"advisory\": \"GHSA-fr88-w35c-r596\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"parse-community\", \"product\": \"parse-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 9.0.0 \u003c 9.5.2-alpha.9\"}, {\"status\": \"affected\", \"version\": \"\u003c 8.6.22\"}]}], \"references\": [{\"url\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596\", \"name\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/8.6.22\", \"name\": \"https://github.com/parse-community/parse-server/releases/tag/8.6.22\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9\", \"name\": \"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider\u0027s token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-10T20:46:40.222Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-30967\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T15:24:17.364Z\", \"dateReserved\": \"2026-03-07T17:53:48.815Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-10T20:46:40.222Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…