GHSA-69xg-f649-w5g2

Source

https://github.com/advisories/GHSA-69xg-f649-w5g2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-69xg-f649-w5g2/GHSA-69xg-f649-w5g2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-69xg-f649-w5g2

Aliases

Published

2026-03-13T20:02:25Z

Modified

2026-03-16T10:40:56.912017Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Details

Impact

The OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.

Deployments using the OAuth2 adapter with appidField and appIds configured are affected.

Patches

The fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.

Workarounds

There is no known workaround.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2
Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39

Database specific

{
    "github_reviewed_at": "2026-03-13T20:02:25Z",
    "nvd_published_at": "2026-03-12T20:16:06Z",
    "cwe_ids": [
        "CWE-683"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.6.0-alpha.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-69xg-f649-w5g2/GHSA-69xg-f649-w5g2.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

8.0.2

Fixed

8.6.39

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-69xg-f649-w5g2/GHSA-69xg-f649-w5g2.json"