CVE-2026-30967

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.9 Parse Server versions prior to 8.6.22

Description Parse Server, an open-source backend deployable on Node.js infrastructures, contains a flaw in its OAuth2 authentication adapter. When configured without the useridField option, the adapter verifies token activity via the provider’s token introspection endpoint but does not confirm the token’s association with the user identified by authData.id. This allows an attacker possessing any valid OAuth2 token from the same provider to authenticate as any other user. The issue impacts Parse Server deployments utilizing the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option.

Recommendations Update to Parse Server version 9.5.2-alpha.9 or later. Update to Parse Server version 8.6.22 or later.