8.8
CVE-2026-30967
- EPSS 0.33%
- Veröffentlicht 10.03.2026 20:46:40
- Zuletzt bearbeitet 11.03.2026 19:04:03
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginParse Server OAuth2 authentication adapter account takeover via identity spoofing
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.22
Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.5.2
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha1 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha2 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha3 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha4 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha5 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha6 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha7 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.5.2 Updatealpha8 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.249 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.6 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596
https://github.com/parse-community/parse-server/releases/tag/8.6.22
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9