CVE-2026-32242

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.11 and 8.6.37

Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where its built-in OAuth2 authentication adapter reuses a singleton instance across all OAuth2 provider configurations. Concurrent authentication requests for different OAuth2 providers can lead to one provider’s token validation using another provider’s configuration. This could allow a token that should be rejected by one provider to be incorrectly accepted due to validation against a different provider’s policy. Deployments configuring multiple OAuth2 providers with the oauth2: true flag are affected. The issue stems from a race condition in the OAuth2 adapter, potentially allowing attackers to bypass token validation.

Recommendations Versions prior to 9.6.0-alpha.11 should be updated to 9.6.0-alpha.11 or later. Versions prior to 8.6.37 should be updated to 8.6.37 or later.