Description
Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.7 < 4.10.16** Patched version(s): **5.2.7 4.10.16**
References
Related Issues
- Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint - CVE-2026-32269
- Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Parse Server missing audience validation in Keycloak authentication adapter - CVE-2026-30949
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023