CVE-2026-32269

UNKNOWN 0.0

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39.

CWE	CWE-683
Vendor	parse-community
Product	parse-server
Published	Mar 12, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for parse-community parse-server

Be the first to know when new unknown vulnerabilities affecting parse-community parse-server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

parse-community / parse-server

>= 9.0.0, < 9.6.0-alpha.13 >= 8.0.2, < 8.6.39

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2 github.com: https://github.com/parse-community/parse-server/releases/tag/8.6.39 github.com: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13