CVE-2026-30967: Parse Server OAuth2 Auth Bypass Vulnerability

CVE-2026-30967 Overview

CVE-2026-30967 is an authentication bypass vulnerability affecting Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability exists in the OAuth2 authentication adapter when configured without the useridField option. In this misconfigured state, the adapter only verifies that a token is active via the provider's token introspection endpoint but fails to verify that the token belongs to the user identified by authData.id. This allows an attacker with any valid OAuth2 token from the same provider to authenticate as any other user.

Critical Impact
This authentication bypass vulnerability enables complete account takeover. Any attacker possessing a valid OAuth2 token from the configured provider can impersonate any user on the Parse Server deployment, potentially gaining unauthorized access to sensitive user data and application functionality.

Affected Products

parseplatform parse-server versions prior to 8.6.22
parseplatform parse-server versions 9.5.2-alpha1 through 9.5.2-alpha8
Any Parse Server deployment using the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option

Discovery Timeline

2026-03-10 - CVE CVE-2026-30967 published to NVD
2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-30967

Vulnerability Analysis

This vulnerability is classified as CWE-287 (Improper Authentication). The root issue lies in incomplete token validation within the OAuth2 authentication adapter. When the useridField option is not configured, Parse Server performs an incomplete authorization check that only confirms the OAuth2 token is active but does not validate token ownership.

The attack requires network access and low privileges (a valid OAuth2 token from the same identity provider). While some preparation is needed to exploit the vulnerability, successful exploitation results in complete compromise of user confidentiality and integrity, allowing attackers to access and modify data belonging to any user account.

Root Cause

The OAuth2 authentication adapter implementation contains a logic flaw in its token validation routine. When the useridField option is not explicitly set in the Parse Server configuration, the adapter relies solely on the OAuth2 provider's token introspection endpoint to verify that a token is active. However, this validation step does not include verification that the token was actually issued to the user specified in the authData.id field. This missing authorization check creates a gap where token activity is confirmed but token ownership is not.

Attack Vector

The vulnerability can be exploited through the following attack flow:

An attacker obtains any valid OAuth2 access token from the OAuth2 provider configured with the Parse Server instance. This could be their own legitimate token or one obtained through other means.
The attacker sends an authentication request to Parse Server with the valid OAuth2 token but specifies a target victim's user ID in the authData.id field.
Parse Server's OAuth2 adapter validates the token against the provider's introspection endpoint, which confirms the token is active.
Because useridField is not configured, Parse Server does not verify that the token actually belongs to the user specified in authData.id.
The attacker is successfully authenticated as the victim user, gaining full access to their account and data.

This attack requires the attacker to know or guess the target user's ID within the Parse Server system. The vulnerability affects any deployment using the generic OAuth2 authentication adapter without proper configuration of the useridField option.

Detection Methods for CVE-2026-30967

Indicators of Compromise

Authentication events where a single OAuth2 token is used to access multiple different user accounts
Unusual login patterns showing rapid account switches using the same OAuth2 provider token
User complaints about unauthorized access or unexpected account activity following OAuth2 authentication
Log entries showing authentication success for user IDs that don't match the token's actual owner

Detection Strategies

Review Parse Server configuration files to verify whether the useridField option is properly set for OAuth2 authentication adapters
Implement logging and monitoring of OAuth2 authentication events, correlating token identifiers with authenticated user IDs
Audit authentication logs for patterns where the same access token is associated with multiple user accounts
Deploy application-level monitoring to detect anomalous authentication behavior

Monitoring Recommendations

Enable verbose authentication logging in Parse Server to capture token validation details
Set up alerts for authentication events that exhibit token reuse across different user accounts
Monitor for unusual spikes in OAuth2 authentication failures that may indicate exploitation attempts
Implement user behavior analytics to detect account access patterns inconsistent with normal user activity

How to Mitigate CVE-2026-30967

Immediate Actions Required

Upgrade Parse Server to version 8.6.22 or 9.5.2-alpha.9 or later immediately
If immediate upgrade is not possible, configure the useridField option in the OAuth2 authentication adapter configuration
Audit OAuth2 authentication adapter configurations across all Parse Server deployments
Review authentication logs for any signs of prior exploitation

Patch Information

Parse Server has released security patches that address this vulnerability. Organizations should upgrade to the following versions:

For the 8.x branch: Upgrade to version 8.6.22 or later
For the 9.x branch: Upgrade to version 9.5.2-alpha.9 or later

Additional technical details and security guidance are available in the GitHub Security Advisory GHSA-fr88-w35c-r596.

Workarounds

Configure the useridField option in the OAuth2 authentication adapter to ensure proper token ownership validation
If OAuth2 authentication is not essential, consider temporarily disabling the OAuth2 adapter until patches can be applied
Implement additional network-level controls to limit access to authentication endpoints
Consider deploying a web application firewall (WAF) with rules to monitor and filter suspicious authentication requests

bash

# Configuration example for Parse Server OAuth2 adapter with useridField
# Add this to your Parse Server initialization configuration
# This ensures proper token ownership validation

# Example configuration snippet (parse-server-config.js):
# auth: {
#   oauth2: {
#     enabled: true,
#     tokenIntrospectionEndpointUrl: "https://your-oauth-provider.com/introspect",
#     useridField: "sub"  # Critical: Set this to the field containing user ID in token response
#   }
# }

CVE-2026-30967 Overview

Critical Impact
This authentication bypass vulnerability enables complete account takeover. Any attacker possessing a valid OAuth2 token from the configured provider can impersonate any user on the Parse Server deployment, potentially gaining unauthorized access to sensitive user data and application functionality.

Affected Products

parseplatform parse-server versions prior to 8.6.22
parseplatform parse-server versions 9.5.2-alpha1 through 9.5.2-alpha8
Any Parse Server deployment using the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option

Discovery Timeline

2026-03-10 - CVE CVE-2026-30967 published to NVD
2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-30967

Vulnerability Analysis

Root Cause

Attack Vector

The vulnerability can be exploited through the following attack flow:

An attacker obtains any valid OAuth2 access token from the OAuth2 provider configured with the Parse Server instance. This could be their own legitimate token or one obtained through other means.
The attacker sends an authentication request to Parse Server with the valid OAuth2 token but specifies a target victim's user ID in the authData.id field.
Parse Server's OAuth2 adapter validates the token against the provider's introspection endpoint, which confirms the token is active.
Because useridField is not configured, Parse Server does not verify that the token actually belongs to the user specified in authData.id.
The attacker is successfully authenticated as the victim user, gaining full access to their account and data.

Detection Methods for CVE-2026-30967

Indicators of Compromise

Authentication events where a single OAuth2 token is used to access multiple different user accounts
Unusual login patterns showing rapid account switches using the same OAuth2 provider token
User complaints about unauthorized access or unexpected account activity following OAuth2 authentication
Log entries showing authentication success for user IDs that don't match the token's actual owner

Detection Strategies

Review Parse Server configuration files to verify whether the useridField option is properly set for OAuth2 authentication adapters
Implement logging and monitoring of OAuth2 authentication events, correlating token identifiers with authenticated user IDs
Audit authentication logs for patterns where the same access token is associated with multiple user accounts
Deploy application-level monitoring to detect anomalous authentication behavior

Monitoring Recommendations

Enable verbose authentication logging in Parse Server to capture token validation details
Set up alerts for authentication events that exhibit token reuse across different user accounts
Monitor for unusual spikes in OAuth2 authentication failures that may indicate exploitation attempts
Implement user behavior analytics to detect account access patterns inconsistent with normal user activity

How to Mitigate CVE-2026-30967

Immediate Actions Required

Upgrade Parse Server to version 8.6.22 or 9.5.2-alpha.9 or later immediately
If immediate upgrade is not possible, configure the useridField option in the OAuth2 authentication adapter configuration
Audit OAuth2 authentication adapter configurations across all Parse Server deployments
Review authentication logs for any signs of prior exploitation

Patch Information

Parse Server has released security patches that address this vulnerability. Organizations should upgrade to the following versions:

For the 8.x branch: Upgrade to version 8.6.22 or later
For the 9.x branch: Upgrade to version 9.5.2-alpha.9 or later

Additional technical details and security guidance are available in the GitHub Security Advisory GHSA-fr88-w35c-r596.

Workarounds

Configure the useridField option in the OAuth2 authentication adapter to ensure proper token ownership validation
If OAuth2 authentication is not essential, consider temporarily disabling the OAuth2 adapter until patches can be applied
Implement additional network-level controls to limit access to authentication endpoints
Consider deploying a web application firewall (WAF) with rules to monitor and filter suspicious authentication requests

bash

# Configuration example for Parse Server OAuth2 adapter with useridField
# Add this to your Parse Server initialization configuration
# This ensures proper token ownership validation

# Example configuration snippet (parse-server-config.js):
# auth: {
#   oauth2: {
#     enabled: true,
#     tokenIntrospectionEndpointUrl: "https://your-oauth-provider.com/introspect",
#     useridField: "sub"  # Critical: Set this to the field containing user ID in token response
#   }
# }

CVE-2026-30967: Parse Server OAuth2 Auth Bypass Vulnerability

CVE-2026-30967 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-30967

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-30967

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-30967

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-30967: Parse Server OAuth2 Auth Bypass Vulnerability

CVE-2026-30967 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-30967

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-30967

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-30967

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform