CVE-2026-30967

High

Published: 10 March 2026

Published

10 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active…

via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the specific flaw in Parse Server's OAuth2 token-user binding verification through vendor patches to fixed versions.

IA-13 Identity Providers and Authorization Servers good match

prevent

Ensures robust management of OAuth2 identity providers and authorization servers, including verification of token authenticity and user binding to prevent impersonation.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings for the OAuth2 adapter, such as requiring the useridField option to enable proper token ownership verification.

Security SummaryAI

CVE-2026-30967 affects Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 9.5.2-alpha.9 and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active using the provider's token introspection endpoint but does not confirm that the token belongs to the user identified by authData.id. This improper authentication mechanism, classified as CWE-287, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and impacts deployments using the generic OAuth2 adapter (configured with oauth2: true) lacking the useridField option.

An attacker with any valid OAuth2 token from the same provider can exploit this vulnerability over the network with low complexity and low privileges required, without user interaction. Successful exploitation enables authentication as any other user, potentially leading to high impacts on confidentiality, integrity, and availability through unauthorized access and actions under impersonated identities.

Mitigation is provided in Parse Server versions 9.5.2-alpha.9 and 8.6.22, which address the token ownership verification flaw. The GitHub security advisory GHSA-fr88-w35c-r596 and release notes for these versions detail the fix and recommend upgrading affected deployments.

Details

CWE(s): CWE-287

Affected Products

parseplatform

parse-server

9.5.2 · ≤ 8.6.22 · 9.0.0 — 9.5.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability in Parse Server, a public-facing backend API, allows remote exploitation of an authentication flaw to impersonate users, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/parse-community/parse-server/releases/tag/8.6.22
Product, Release Notes · security-advisories@github.com
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9
Product, Release Notes · security-advisories@github.com
https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596
Patch, Vendor Advisory · security-advisories@github.com