CVE-2026-27804 Overview
Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, contains a critical authentication bypass vulnerability in its Google authentication adapter. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token using alg: "none" to log in as any user linked to a Google account, without knowing their credentials. This JWT algorithm confusion attack affects all deployments with Google authentication enabled.
Critical Impact
Unauthenticated attackers can bypass authentication and impersonate any user with a linked Google account by exploiting JWT algorithm confusion, potentially compromising all user accounts in affected deployments.
Affected Products
- Parse Server versions prior to 8.6.3
- Parse Server versions prior to 9.1.1-alpha.4
- All Parse Server deployments with Google authentication enabled
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27804 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27804
Vulnerability Analysis
This vulnerability is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). The root issue lies in how Parse Server's Google authentication adapter processes JWT tokens. The adapter trusts the algorithm specified in the JWT header rather than enforcing a specific cryptographic algorithm.
When a JWT token is received, the vulnerable code extracts both the kid (key ID) and alg (algorithm) from the token header. An attacker can craft a malicious JWT with alg: "none", which instructs the verification process to skip signature validation entirely. This allows the attacker to forge tokens claiming to be any user with a linked Google account.
The vulnerability requires no authentication and can be exploited remotely over the network. Successful exploitation results in complete bypass of authentication controls, allowing attackers to gain high-level access to user accounts and potentially sensitive data stored within the Parse Server instance.
Root Cause
The vulnerability stems from the Google authentication adapter's custom JWT verification logic that reads the algorithm from the untrusted JWT header. Instead of hardcoding the expected RS256 algorithm used by Google's identity services, the code allowed the attacker-controlled header to dictate which algorithm to use for signature verification. When alg: "none" is specified, no cryptographic verification occurs, and the token is accepted as valid regardless of its signature.
Attack Vector
The attack is network-based and requires no prior authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying a Parse Server instance with Google authentication enabled
- Crafting a malicious JWT token with alg: "none" in the header
- Including the target user's Google account identifier in the token payload
- Sending the forged token to the Parse Server authentication endpoint
- Gaining authenticated access as the target user
// Security patch showing the fix (Source: GitHub Commit)
// Before: Algorithm extracted from untrusted token header
- const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
// After: Only key ID extracted, algorithm is hardcoded to RS256
+ const { kid: keyId } = authUtils.getHeaderFromToken(token);
const ONE_HOUR_IN_MS = 3600000;
let jwtClaims;
Source: GitHub Commit Fix
Detection Methods for CVE-2026-27804
Indicators of Compromise
- Authentication requests containing JWT tokens with alg: "none" or alg: "None" in the header
- Unusual authentication patterns from unexpected IP addresses or geolocations for known user accounts
- Successful Google authentication events without corresponding Google-side login activity
- JWT tokens lacking valid cryptographic signatures being processed successfully
Detection Strategies
- Monitor authentication logs for JWT tokens with non-standard or absent algorithm specifications
- Implement Web Application Firewall (WAF) rules to detect and block JWTs containing "alg":"none" patterns
- Enable verbose logging on Parse Server authentication adapters to capture JWT header details
- Cross-reference Google authentication events with Google Workspace or Cloud Identity audit logs
Monitoring Recommendations
- Set up alerts for authentication anomalies including multiple successful logins from disparate locations
- Monitor Parse Server error logs for JWT validation failures that may indicate exploitation attempts
- Implement rate limiting on authentication endpoints to slow potential automated attacks
- Enable SentinelOne Singularity Platform to detect suspicious authentication patterns and potential account takeover attempts
How to Mitigate CVE-2026-27804
Immediate Actions Required
- Upgrade Parse Server to version 8.6.3 or 9.1.1-alpha.4 immediately
- Audit authentication logs for signs of exploitation prior to patching
- Review all user accounts for unauthorized access or suspicious activity
- If unable to upgrade immediately, disable Google authentication until patching is possible
Patch Information
The fix has been released in Parse Server versions 8.6.3 and 9.1.1-alpha.4. The patch implements two critical changes:
- Hardcoded Algorithm Enforcement: The expected RS256 algorithm is now hardcoded instead of being read from the JWT header
- Improved Key Verification: The Google adapter's custom key fetcher has been replaced with jwks-rsa library which properly rejects unknown key IDs
For more details, refer to the GitHub Security Advisory GHSA-4q3h-vp4r-prv2 and the official releases at Parse Server 8.6.3 and Parse Server 9.3.1-alpha.4.
Workarounds
- Disable Google authentication in Parse Server configuration until upgrade is possible
- Implement additional authentication layers such as MFA for critical accounts
- Deploy network-level controls to restrict access to authentication endpoints
- Use a reverse proxy to filter requests containing suspicious JWT patterns
# Configuration example - Disable Google authentication temporarily
# In your Parse Server configuration file or environment variables
PARSE_SERVER_AUTH_PROVIDERS='{"google":{"enabled":false}}'
# Or in parse-server-config.json
# Set "google" adapter to disabled until patch is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
