Parse Server OAuth2 authentication adapter account takeover via identity spoofing
- Severity:
- High
Description
The OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider’s token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.22 >= 9.0.0-alpha.1, < 9.5.2-alpha.9** Patched version(s): **8.6.22 9.5.2-alpha.9**
References
Related Issues
- Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804
- Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
- Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance - CVE-2026-32242
- Parse Server missing audience validation in Keycloak authentication adapter - CVE-2026-30949
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 11, 2026