CVE-2026-30863
CRITICAL WAF: Low
CVSS 9.8
Published: 2026-03-07
CWE-287 CWE-863
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| parseplatform | parse-server | up to 8.6.10 |
| parseplatform | parse-server | 9.0.0 - 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
References
- github.com (Vendor Advisory)