Platform
nodejs
Component
parse-server
Fixed in
8.6.11
9.5.1
8.6.11
9.5.1
9.5.0-alpha.11
CVE-2026-30863 is a critical vulnerability affecting Parse Server, a backend service for mobile and web applications. This flaw allows attackers to bypass authentication by exploiting a weakness in the JWT (JSON Web Token) verification process within the Google, Apple, and Facebook authentication adapters. The vulnerability impacts versions of Parse Server prior to 9.5.0-alpha.11, enabling unauthorized access and potentially complete account takeover. A fix has been released in version 9.5.0-alpha.11.
The core of this vulnerability lies in the misconfiguration of the authentication adapters. Specifically, if the clientId (for Google/Apple) or appIds (for Facebook) audience configuration option is not set, the JWT verification process silently skips audience claim validation. This means an attacker can craft a validly signed JWT intended for a different application and successfully use it to authenticate as any user on the vulnerable Parse Server instance. The potential impact is severe, ranging from unauthorized data access and modification to complete account compromise and potential lateral movement within the application ecosystem. This bypass effectively renders the authentication mechanism useless, allowing attackers to impersonate legitimate users without proper credentials.
CVE-2026-30863 was publicly disclosed on 2026-03-09. Its severity is rated as CRITICAL (9.5 CVSS). Currently, there are no known public proof-of-concept exploits available, but the ease of exploitation given the misconfiguration makes it a high-probability vulnerability. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the potential for widespread impact warrants immediate attention.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30863 is to immediately upgrade Parse Server to version 9.5.0-alpha.11 or later. Prior to upgrading, carefully review your authentication adapter configurations to ensure the clientId (Google/Apple) and appIds (Facebook) options are correctly set. If an upgrade is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing JWTs with missing or invalid audience claims. While not a complete solution, this can provide a temporary layer of defense. Monitor Parse Server logs for unusual authentication activity, particularly attempts to authenticate with JWTs from unexpected sources. There are no specific Sigma or YARA rules available at this time, but monitoring JWT payload structure for unexpected claims is recommended.
Actualice Parse Server a la versión 8.6.10 o superior, o a la versión 9.5.0-alpha.11 o superior. Esto corrige la validación JWT en los adaptadores de autenticación de Google, Apple y Facebook.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30863 is a critical vulnerability in Parse Server where misconfigured authentication adapters allow attackers to bypass JWT verification and authenticate as any user.
If you are using Parse Server versions prior to 9.5.0-alpha.11 and have not properly configured the clientId or appIds for your authentication adapters, you are likely affected.
Upgrade Parse Server to version 9.5.0-alpha.11 or later. Ensure the clientId (Google/Apple) and appIds (Facebook) options are correctly configured in your authentication adapter settings.
While no active exploitation has been confirmed, the ease of exploitation makes it a high-probability vulnerability and warrants immediate action.
Refer to the official Parse Server security advisory for details and updates: [https://github.com/parse/parse-server/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.