CVE-2026-30863

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-30863
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30863.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30863
Aliases
Published
2026-03-07T16:18:47.786Z
Modified
2026-04-10T05:42:01.718002Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.

Database specific 
{
    "cwe_ids": [
        "CWE-287"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30863.json"
}
References

Affected packages

Git / github.com/parse-community/parse-server

Affected ranges

Type
GIT
Repo
https://github.com/parse-community/parse-server
Events
Introduced
532a461d30a6ed4457839f2caf5f30d5abf51a55
Fixed
59ec92142b27e1b016c0bc596295b14a78843444

Affected versions

9.*
9.0.0
9.1.0
9.1.1
9.2.0
9.3.0
9.3.1
9.4.0
9.4.1
9.5.0-alpha.1
9.5.0-alpha.10
9.5.0-alpha.2
9.5.0-alpha.3
9.5.0-alpha.4
9.5.0-alpha.5
9.5.0-alpha.6
9.5.0-alpha.7
9.5.0-alpha.8
9.5.0-alpha.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30863.json"