CVE-2026-30967 Overview
CVE-2026-30967 is an authentication bypass vulnerability affecting Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability exists in the OAuth2 authentication adapter when configured without the useridField option. In this misconfigured state, the adapter only verifies that a token is active via the provider's token introspection endpoint but fails to verify that the token belongs to the user identified by authData.id. This allows an attacker with any valid OAuth2 token from the same provider to authenticate as any other user.
Critical Impact
This authentication bypass vulnerability enables complete account takeover. Any attacker possessing a valid OAuth2 token from the configured provider can impersonate any user on the Parse Server deployment, potentially gaining unauthorized access to sensitive user data and application functionality.
Affected Products
- parseplatform parse-server versions prior to 8.6.22
- parseplatform parse-server versions 9.5.2-alpha1 through 9.5.2-alpha8
- Any Parse Server deployment using the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30967 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30967
Vulnerability Analysis
This vulnerability is classified as CWE-287 (Improper Authentication). The root issue lies in incomplete token validation within the OAuth2 authentication adapter. When the useridField option is not configured, Parse Server performs an incomplete authorization check that only confirms the OAuth2 token is active but does not validate token ownership.
The attack requires network access and low privileges (a valid OAuth2 token from the same identity provider). While some preparation is needed to exploit the vulnerability, successful exploitation results in complete compromise of user confidentiality and integrity, allowing attackers to access and modify data belonging to any user account.
Root Cause
The OAuth2 authentication adapter implementation contains a logic flaw in its token validation routine. When the useridField option is not explicitly set in the Parse Server configuration, the adapter relies solely on the OAuth2 provider's token introspection endpoint to verify that a token is active. However, this validation step does not include verification that the token was actually issued to the user specified in the authData.id field. This missing authorization check creates a gap where token activity is confirmed but token ownership is not.
Attack Vector
The vulnerability can be exploited through the following attack flow:
An attacker obtains any valid OAuth2 access token from the OAuth2 provider configured with the Parse Server instance. This could be their own legitimate token or one obtained through other means.
The attacker sends an authentication request to Parse Server with the valid OAuth2 token but specifies a target victim's user ID in the authData.id field.
Parse Server's OAuth2 adapter validates the token against the provider's introspection endpoint, which confirms the token is active.
Because useridField is not configured, Parse Server does not verify that the token actually belongs to the user specified in authData.id.
The attacker is successfully authenticated as the victim user, gaining full access to their account and data.
This attack requires the attacker to know or guess the target user's ID within the Parse Server system. The vulnerability affects any deployment using the generic OAuth2 authentication adapter without proper configuration of the useridField option.
Detection Methods for CVE-2026-30967
Indicators of Compromise
- Authentication events where a single OAuth2 token is used to access multiple different user accounts
- Unusual login patterns showing rapid account switches using the same OAuth2 provider token
- User complaints about unauthorized access or unexpected account activity following OAuth2 authentication
- Log entries showing authentication success for user IDs that don't match the token's actual owner
Detection Strategies
- Review Parse Server configuration files to verify whether the useridField option is properly set for OAuth2 authentication adapters
- Implement logging and monitoring of OAuth2 authentication events, correlating token identifiers with authenticated user IDs
- Audit authentication logs for patterns where the same access token is associated with multiple user accounts
- Deploy application-level monitoring to detect anomalous authentication behavior
Monitoring Recommendations
- Enable verbose authentication logging in Parse Server to capture token validation details
- Set up alerts for authentication events that exhibit token reuse across different user accounts
- Monitor for unusual spikes in OAuth2 authentication failures that may indicate exploitation attempts
- Implement user behavior analytics to detect account access patterns inconsistent with normal user activity
How to Mitigate CVE-2026-30967
Immediate Actions Required
- Upgrade Parse Server to version 8.6.22 or 9.5.2-alpha.9 or later immediately
- If immediate upgrade is not possible, configure the useridField option in the OAuth2 authentication adapter configuration
- Audit OAuth2 authentication adapter configurations across all Parse Server deployments
- Review authentication logs for any signs of prior exploitation
Patch Information
Parse Server has released security patches that address this vulnerability. Organizations should upgrade to the following versions:
- For the 8.x branch: Upgrade to version 8.6.22 or later
- For the 9.x branch: Upgrade to version 9.5.2-alpha.9 or later
Additional technical details and security guidance are available in the GitHub Security Advisory GHSA-fr88-w35c-r596.
Workarounds
- Configure the useridField option in the OAuth2 authentication adapter to ensure proper token ownership validation
- If OAuth2 authentication is not essential, consider temporarily disabling the OAuth2 adapter until patches can be applied
- Implement additional network-level controls to limit access to authentication endpoints
- Consider deploying a web application firewall (WAF) with rules to monitor and filter suspicious authentication requests
# Configuration example for Parse Server OAuth2 adapter with useridField
# Add this to your Parse Server initialization configuration
# This ensures proper token ownership validation
# Example configuration snippet (parse-server-config.js):
# auth: {
# oauth2: {
# enabled: true,
# tokenIntrospectionEndpointUrl: "https://your-oauth-provider.com/introspect",
# useridField: "sub" # Critical: Set this to the field containing user ID in token response
# }
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
