CVE-2026-30949

UNKNOWN 0.0

Parse Server is missing audience validation in Keycloak authentication adapter

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18.

CWE	CWE-287
Vendor	parse-community
Product	parse-server
Published	Mar 10, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for parse-community parse-server

Be the first to know when new unknown vulnerabilities affecting parse-community parse-server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

parse-community / parse-server

>= 9.0.0 < 9.5.2-alpha.5 < 8.6.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v github.com: https://github.com/parse-community/parse-server/releases/tag/8.6.18 github.com: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5