CVE-2026-30863

EPSS 0.53%
Veröffentlicht 07.03.2026 16:18:47
Zuletzt bearbeitet 10.03.2026 16:50:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

NVD 12 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.10

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.5.0

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.402

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-30863

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-30863

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-30863

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-30863