GHSA-48mh-j4p5-7j9v

Source

https://github.com/advisories/GHSA-48mh-j4p5-7j9v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-48mh-j4p5-7j9v/GHSA-48mh-j4p5-7j9v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-48mh-j4p5-7j9v

Aliases

Published

2026-03-11T00:17:53Z

Modified

2026-03-14T03:41:20.465089Z

Severity

7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server missing audience validation in Keycloak authentication adapter

Details

Impact

The Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms.

All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected.

Patches

The fix replaces the userinfo HTTP call with local JWT verification and enforces azp claim validation against the configured client-id.

Workarounds

None.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.18

Database specific

{
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:17:53Z",
    "nvd_published_at": "2026-03-10T21:16:47Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.5.2-alpha.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-48mh-j4p5-7j9v/GHSA-48mh-j4p5-7j9v.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-48mh-j4p5-7j9v/GHSA-48mh-j4p5-7j9v.json"