CVE-2026-30863

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.10 Parse Server versions prior to 9.5.0-alpha.11

Description Parse Server is an open source backend deployable on Node.js infrastructures. The Google, Apple, and Facebook authentication adapters utilize JWT verification to validate identity tokens. When the adapter’s audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification bypasses audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. The issue affects the authentication process when using Google, Apple, and Facebook authentication adapters. The vulnerable component relies on JWT (JSON Web Token) verification for identity validation.

Recommendations Update Parse Server to version 8.6.10 or later. Update Parse Server to version 9.5.0-alpha.11 or later.

Exploit

Fix

Improper Authentication

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-863

Related Identifiers

BIT-PARSE-2026-30863

CVE-2026-30863

GHSA-X6FW-778M-WR9V

Affected Products

Authentication Adapter

Facebook Authentication Adapter

Google Authentication Adapter

Parse Server

CVE-2026-30863

Weakness Enumeration

Related Identifiers

Affected Products

References · 19