Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Description

An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 8.6.2

  >= 9.0.0, <= 9.3.1-alpha.3**

• Patched version(s): **8.6.3

  9.3.1-alpha.4**

References

• GHSA-4q3h-vp4r-prv2
• CVE-2026-27804
• CWE-327
• CWE-345
• CAPEC-310
• OWASP 2021-A2
• OWASP 2021-A6
• OWASP 2021-A8

Related Issues

• Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
• Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
• Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance - CVE-2026-32242
• Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409

Tags:

npm

parse-server