Primary

Context

Parse Server OAuth2 Authentication Adapter App ID Validation Vulnerability

Vulnerability

Patched

A vulnerability exists in the Parse Server OAuth2 authentication adapter, specifically in versions 9.0.0 prior to 9.6.0-alpha.13 and 8.0.2 prior to 8.6.39. The issue arises when the appidField and appIds are configured, as the adapter fails to properly validate app IDs. This misvalidation leads to a malformed value being sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's response, this could either cause all OAuth2 logins to fail or improperly allow authentication from disallowed app contexts by returning valid-looking data for the malformed request.

Impact

This vulnerability can disrupt OAuth2 login processes or, conversely, enable unauthorized authentication in certain app contexts.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.13 or 8.6.39 to address this vulnerability.

Added: Mar 12, 2026, 8:24 PM

Updated: Mar 12, 2026, 8:24 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

6.4

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

6.4

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server OAuth2 Authentication Adapter App ID Validation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating