{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30863", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.342Z", "datePublished": "2026-03-07T16:18:47.786Z", "dateUpdated": "2026-03-09T18:25:24.090Z"}, "containers": {"cna": {"title": "Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.10", "status": "affected"}, {"version": "< 9.5.0-alpha.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:18:47.786Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11."}], "source": {"advisory": "GHSA-x6fw-778m-wr9v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T16:43:47.144774Z", "id": "CVE-2026-30863", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:25:24.090Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30863", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T16:43:47.144774Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T16:43:53.833Z"}}], "cna": {"title": "Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters", "source": {"advisory": "GHSA-x6fw-778m-wr9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.10"}, {"status": "affected", "version": "< 9.5.0-alpha.11"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:18:47.786Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30863", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:25:24.090Z", "dateReserved": "2026-03-05T21:27:35.342Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:18:47.786Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8AB7EA1E-148D-4A8B-AAF4-06FB708291B7", "versionEndExcluding": "8.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77A07A2F-C8ED-4D78-A9C0-66AB42F69F38", "versionEndExcluding": "9.5.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3E9F95CF-EEE1-42FC-904E-321F05E3DE4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "18465CD3-DB00-4A7C-99D9-8B841829EEE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "5C02D6F0-5A3A-45F5-8A74-F75A8CCAE7DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "103C9745-031B-4822-A19C-A61375FBB1AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "8D67029D-C1BD-4D46-A84F-C52B4D364268", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "3B10930D-B416-4D9A-BA26-F0AD22BFAE28", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "72794836-5CFB-4928-BB22-D7DE813809B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "FA2C4C1E-3AE6-48E0-8B59-80554AE85BB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "40C8E499-E5C6-48DD-AE36-B73B2B6ADA67", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "E92B2675-5D49-404B-BEC1-7037D6C1ACD5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.10 y 9.5.0-alpha.11, los adaptadores de autenticaci\u00f3n de Google, Apple y Facebook utilizan la verificaci\u00f3n JWT para validar tokens de identidad. Cuando la opci\u00f3n de configuraci\u00f3n de audiencia del adaptador no est\u00e1 establecida (clientId para Google/Apple, appIds para Facebook), la verificaci\u00f3n JWT omite silenciosamente la validaci\u00f3n de la declaraci\u00f3n de audiencia. Esto permite a un atacante utilizar un JWT v\u00e1lidamente firmado emitido para una aplicaci\u00f3n diferente para autenticarse como cualquier usuario en el Parse Server objetivo. Este problema ha sido parcheado en las versiones 8.6.10 y 9.5.0-alpha.11."}], "id": "CVE-2026-30863", "lastModified": "2026-03-10T16:50:58.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T17:15:54.137", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.5.0-alpha.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-18T09:45:54.547986+00:00", "value": {"mitigation_remediation": ["Update Parse Server to version 8.6.10 or later, or to 9.5.0\u2011alpha.11 or newer where the fix is included.", "If an immediate upgrade is not feasible, configure the authentication adapters to supply the correct audience value: set clientId for Google and Apple, and appIds for Facebook, ensuring that audience validation is performed.", "After applying the patch or configuration change, monitor authentication logs for abnormal activity and restrict exposure of the authentication endpoint to trusted networks."], "summary": {"action": "Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to Parse Server deployments that use the default Google, Apple, or Facebook authentication adapters without explicitly setting the audience value. Releases older than 8.6.10 or 9.5.0\u2011alpha.11 are affected; those versions and later contain the fix.", "description_and_impact": "Parse Server\u2019s Google, Apple, and Facebook authentication adapters validate identity tokens using JWT verification, but when the adapter\u2019s audience configuration option is unset, the verification routine silently skips checking the audience claim. This omission means a validly signed JWT issued for a different application can be accepted, allowing an attacker to authenticate as any user on the target Parse Server and gain full access to the server\u2019s resources.", "risk_and_exploitability": "The CVSS score of 9.3 classifies the flaw as critical, and the EPSS score of <\u202f1\u202f% indicates a very low but non\u2011zero probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending a crafted authentication request to the Parse Server endpoint that contains a validly signed JWT issued for another application. The attacker only needs a correctly signed token and does not require additional privileges. Based on the description, it is inferred that the attack vector is network\u2011based and relies on the standard authentication mechanism of Parse Server."}}}}, "created": "2026-03-09T10:05:00.345825+00:00", "updated": "2026-04-18T10:00:10.302800+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}