Volerion logoVolerion
Volerion logoVolerion

Parse Server Keycloak Authentication Adapter Audience Validation Vulnerability Allowing Account Takeover

Vulnerability

A vulnerability exists in the Keycloak authentication adapter of Parse Server, specifically in versions prior to 9.5.2-alpha.5 and 8.6.18. The issue arises because the adapter fails to validate the 'azp' (authorized party) claim of Keycloak access tokens against the configured client ID. As a result, a valid access token from the same Keycloak realm but issued for a different client application can be used to authenticate as any user on the Parse Server that utilizes the Keycloak adapter. This flaw facilitates cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments using the Keycloak authentication adapter in such a Keycloak environment are affected.

Impact

Exploitation of this vulnerability allows for unauthorized authentication as any user on the affected Parse Server, leading to potential account takeover.

Remediation

Users can upgrade to Parse Server versions 9.5.2-alpha.5 or 8.6.18 to address this vulnerability.

Added: Mar 10, 2026, 9:27 PM
Updated: Mar 10, 2026, 9:27 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
1.3
exploitability
5.0
remediation
7.7
relevance
3.7
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.