{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30949", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.980Z", "datePublished": "2026-03-10T20:20:12.187Z", "dateUpdated": "2026-03-10T20:40:49.355Z"}, "containers": {"cna": {"title": "Parse Server is missing audience validation in Keycloak authentication adapter", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.18", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0 < 9.5.2-alpha.5", "status": "affected"}, {"version": "< 8.6.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:20:12.187Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18."}], "source": {"advisory": "GHSA-48mh-j4p5-7j9v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T20:40:36.292740Z", "id": "CVE-2026-30949", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:40:49.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T20:40:36.292740Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:40:44.917Z"}}], "cna": {"title": "Parse Server is missing audience validation in Keycloak authentication adapter", "source": {"advisory": "GHSA-48mh-j4p5-7j9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0 < 9.5.2-alpha.5"}, {"status": "affected", "version": "< 8.6.18"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18", "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.18", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5", "name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:20:12.187Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30949", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:40:49.355Z", "dateReserved": "2026-03-07T17:34:39.980Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:20:12.187Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2AE03724-532F-47A8-93E9-6BF57E1FCEF6", "versionEndExcluding": "8.6.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D", "versionEndExcluding": "9.5.2", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "601B2CF1-D29A-42CC-8405-185C1A8E1EB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "BC9F2B9D-026F-454B-B565-05AA441FA54F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.5 y 8.6.18, el adaptador de autenticaci\u00f3n de Keycloak no valida la declaraci\u00f3n azp (parte autorizada) de los tokens de acceso de Keycloak contra el client-id configurado. Un token de acceso v\u00e1lido emitido por el mismo reino de Keycloak para una aplicaci\u00f3n cliente diferente puede ser usado para autenticarse como cualquier usuario en el Parse Server que usa el adaptador de Keycloak. Esto permite la toma de control de cuentas entre aplicaciones en reinos de Keycloak multi-cliente. Todas las implementaciones de Parse Server que usan el adaptador de autenticaci\u00f3n de Keycloak con un reino de Keycloak que tiene m\u00faltiples aplicaciones cliente est\u00e1n afectadas. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.5 y 8.6.18."}], "id": "CVE-2026-30949", "lastModified": "2026-03-11T19:40:59.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:47.847", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.5.2-alpha.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.18)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-17T11:37:10.683426+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 9.5.2\u2011alpha.5 or newer, or 8.6.18 or newer, which contain the azp claim validation fix.", "If an immediate upgrade is not possible, restrict the Keycloak realm to a single client application per Parse Server instance or migrate the affected Parse Server to its own Keycloak realm to eliminate cross\u2011application token reuse.", "Monitor authentication logs for anomalous azp claims or tokens issued for unexpected clients, and revoke or invalidate tokens that do not match the expected client ID."], "summary": {"action": "Immediate Update", "impact": "Unauthorized Account Takeover via Keycloak tokens"}, "threat_synthesis": {"affected_systems": "Parse Server deployments running versions prior to 9.5.2\u2011alpha.5 or 8.6.18 that use the Keycloak authentication adapter and are connected to a Keycloak realm with multiple client applications are affected. The product is open\u2011source Parse Server, which can be deployed wherever Node.js runs.", "description_and_impact": "The vulnerability arises because the Parse Server Keycloak authentication adapter does not verify the azp (authorized party) claim in Keycloak access tokens. A token issued for one client application can be used to authenticate as any user on the affected Parse Server, enabling cross\u2011application account takeover in multi\u2011client Keycloak realms. This flaw allows an attacker who obtains a valid token for a different client to impersonate any user on the affected Parse Server, effectively achieving account takeover without any additional privileges or access to the server itself. The weakness is a form of authentication bypass (CWE\u2011287).", "risk_and_exploitability": "The CVSS score of 7.6 reflects a high impact and medium exploitability. The EPSS score of less than 1\u202f% indicates that the likelihood of public exploitation is low, and the vulnerability is not currently listed in the KEV catalog. However, an attacker who can acquire a valid Keycloak token for another client can trivially exploit the flaw by presenting the token to the Parse Server, bypassing all user\u2011level authentication checks. The attack vector is likely remote via signed JWT tokens, and no special privileges are required on the server side. Given the absence of a KEV listing, widespread exploitation may be limited, but the potential for internal account takeover remains significant for organizations using multi\u2011client Keycloak realms."}}}}, "created": "2026-03-11T11:42:53.282579+00:00", "updated": "2026-04-17T11:45:06.230557+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}