CVE-2026-27804

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.3 Parse Server versions prior to 9.1.1-alpha.4

Description Parse Server is susceptible to a security issue where an unauthenticated attacker can create a forged Google authentication token using alg: "none" to gain access as any user associated with a Google account, without needing their credentials. All deployments utilizing Google authentication are potentially affected. The issue stems from trusting the JWT header and using a custom key fetcher that accepted unknown key IDs.

Recommendations Versions prior to 8.6.3 should be upgraded to version 8.6.3 or later. Versions prior to 9.1.1-alpha.4 should be upgraded to version 9.1.1-alpha.4 or later. As a temporary workaround, disable Google authentication until an upgrade is possible.