{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27804", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.266Z", "datePublished": "2026-02-25T23:48:20.858Z", "dateUpdated": "2026-02-26T17:03:50.903Z"}, "containers": {"cna": {"title": "Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter", "problemTypes": [{"descriptions": [{"cweId": "CWE-327", "lang": "en", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2"}, {"name": "https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7"}, {"name": "https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.3"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0, < 9.3.1-alpha.4", "status": "affected"}, {"version": "< 8.6.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T23:48:20.858Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: \"none\"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible."}], "source": {"advisory": "GHSA-4q3h-vp4r-prv2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T17:03:17.987949Z", "id": "CVE-2026-27804", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T17:03:50.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T17:03:17.987949Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T17:03:36.283Z"}}], "cna": {"title": "Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter", "source": {"advisory": "GHSA-4q3h-vp4r-prv2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0, < 9.3.1-alpha.4"}, {"status": "affected", "version": "< 8.6.3"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7", "name": "https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330", "name": "https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.3", "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4", "name": "https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: \"none\"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T23:48:20.858Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27804", "state": "PUBLISHED", "dateUpdated": "2026-02-26T17:03:50.903Z", "dateReserved": "2026-02-24T02:31:33.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T23:48:20.858Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6013714D-C959-4E21-90BC-38DB536DDD7A", "versionEndExcluding": "8.6.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6DF6F6EE-4C02-49CB-9B73-D8C2A567DC5A", "versionEndExcluding": "9.3.1", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "DF17F1D3-1FF0-4F19-AF82-A8866CE625D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "98AB1B71-E3FD-457A-AA25-074E2F5A0581", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.3.1:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "C73893F8-315F-4FE3-9ADB-DD2965797C46", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: \"none\"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede implementarse en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.3 y 9.1.1-alpha.4, un atacante no autenticado puede falsificar un token de autenticaci\u00f3n de Google con 'alg: \"none\"' para iniciar sesi\u00f3n como cualquier usuario vinculado a una cuenta de Google, sin conocer sus credenciales. Todas las implementaciones con autenticaci\u00f3n de Google habilitada se ven afectadas. La correcci\u00f3n en las versiones 8.6.3 y 9.1.1-alpha.4 codifica de forma r\u00edgida el algoritmo 'RS256' esperado en lugar de confiar en el encabezado JWT, y reemplaza el recuperador de claves personalizado del adaptador de Google con 'jwks-rsa' que rechaza los ID de clave desconocidos. Como soluci\u00f3n alternativa, deshabilite la autenticaci\u00f3n de Google hasta que sea posible la actualizaci\u00f3n."}], "id": "CVE-2026-27804", "lastModified": "2026-03-04T03:09:41.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T00:16:25.793", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.3"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}, {"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.3.1-alpha.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-17T14:40:26.934052+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.3 or newer, or to 9.1.1\u2011alpha.4 if using a 9.x release. This fix hardcodes the expected RS256 algorithm and replaces the custom key fetcher with jwks\u2011rsa, rejecting unknown key IDs.", "If upgrading is not immediately possible, temporarily disable Google authentication in your Parse Server configuration to prevent the vulnerability from being exploitable.", "After deploying, monitor authentication logs for anomalous login attempts that might indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Account takeover via forged JWT tokens"}, "threat_synthesis": {"affected_systems": "All deployments of parse\u2011server by the Parse Community that have Google authentication enabled are affected. Versions prior to 8.6.3 and 9.1.1\u2011alpha.4, regardless of sub\u2011release, are vulnerable. The issue exists in Node.js environments running Parse Server on any infrastructure that hosts the application.", "description_and_impact": "Parse Server lets attackers forge a Google authentication token by setting the JWT header \"alg\" to \"none\". This bypasses signature verification, allowing the attacker to log in as any user whose Google account is linked to the Parse Server instance, even without knowing the user\u2019s credentials. The weakness is a classic algorithm confusion flaw, mapped to CWE\u2011327 and CWE\u2011345.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.3, indicating a high severity impact. The EPSS score is below 1%, suggesting a low but non\u2011zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it remotely by crafting a JWT with \"alg\":\"none\" and sending it to the Parse Server\u2019s authentication endpoint, requiring only network access to the application and no prior credentials."}}}}, "created": "2026-02-26T13:10:30.083261+00:00", "updated": "2026-04-17T14:45:21.035445+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}