CVE-2026-30967HIGH 8.8EPSS p24.9%

CVE-2026-30967CVE-2026-30967

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.9% · 2026-06-19T12:03:05Z
Published2026-03-10
Last modified2026-03-11

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/parse-community/parse-server/releases/tag/8.6.22
  2. https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9
  3. https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-30863
CVE
CVE-2026-33409
CVE
CVE-2026-32248
CVE
CVE-2026-30949
CVE
CVE-2026-30965
CVE
CVE-2026-30966
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.