Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Description

The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter’s audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.10

  >= 9.0.0-alpha.1, < 9.5.0-alpha.11**

• Patched version(s): **8.6.10

  9.5.0-alpha.11**

References

• GHSA-x6fw-778m-wr9v
• CVE-2026-30863
• CWE-287
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Parse Server missing audience validation in Keycloak authentication adapter - CVE-2026-30949
• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
• Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804
• Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes - CVE-2026-31800

Tags:

npm

parse-server