GHSA-4q3h-vp4r-prv2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4q3h-vp4r-prv2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4q3h-vp4r-prv2/GHSA-4q3h-vp4r-prv2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4q3h-vp4r-prv2
- Aliases
- Published
- 2026-02-25T23:00:49Z
- Modified
- 2026-03-02T12:17:22.300541Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
- Details
-
Impact
An unauthenticated attacker can forge a Google authentication token with
alg: "none"to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected.Patches
The fix hardcodes the expected
RS256algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher withjwks-rsawhich rejects unknown key IDs.Workarounds
Disable Google authentication until you can upgrade.
References
- GitHub advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2
- Fixed in Parse Server 9.3.1-alpha.4: https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4
- Fixed in Parse Server 8.6.3: https://github.com/parse-community/parse-server/releases/tag/8.6.3
- Database specific
{ "github_reviewed_at": "2026-02-25T23:00:49Z", "nvd_published_at": "2026-02-26T00:16:25Z", "cwe_ids": [ "CWE-327", "CWE-345" ], "severity": "CRITICAL", "github_reviewed": true }- References
-
- https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2
- https://nvd.nist.gov/vuln/detail/CVE-2026-27804
- https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7
- https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330
- https://github.com/parse-community/parse-server
- https://github.com/parse-community/parse-server/releases/tag/8.6.3
- https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server