CVE-2026-32269

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.13 and 8.6.39

Description Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue in its OAuth2 authentication adapter. When appidField and appIds are configured, the adapter does not properly validate application IDs. During validation, a malformed value is sent to the token introspection API Endpoint instead of the user’s actual access token. The behavior of the introspection endpoint determines the impact: it could lead to a failure of all OAuth2 logins or allow authentication from unauthorized application contexts if the endpoint returns seemingly valid data for the incorrect request. Deployments utilizing the OAuth2 adapter with appidField and appIds configured are susceptible. The issue involves incorrect parameter alignment in the OAuth2 adapter's app ID validation method.

Recommendations Versions prior to 9.6.0-alpha.13 should be updated to 9.6.0-alpha.13 or later. Versions prior to 8.6.39 should be updated to 8.6.39 or later.