GHSA-X6FW-778M-WR9V

Vulnerability from github – Published: 2026-03-09 17:42 – Updated: 2026-03-09 17:42
VLAI?
Summary
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Details

Impact

The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server.

  • For Google and Apple, the vulnerability is exploitable when the server does not configure clientId. The adapters accepted this as valid and simply skipped audience validation.
  • For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated appIds only for Standard Login (Graph API), but the Limited Login JWT path never passed appIds as the audience to JWT verification.

Patches

The fix enforces clientId (Google/Apple) and appIds (Facebook) as mandatory and passes them to JWT verification for audience validation. While this is technically a breaking change for servers that omit these options, it is not a breaking change as per documentation — all three options are documented as required configuration.

Workarounds

  • Google / Apple: Ensure clientId is set in the adapter configuration. When set, JWT verification correctly validates the audience claim even on unpatched versions.
  • Facebook Limited Login: There is no workaround. The unpatched adapter does not pass appIds to JWT audience validation, so the only mitigation is to upgrade.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.11
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.10
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0-alpha.1"
            },
            {
              "fixed": "9.5.0-alpha.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T17:42:22Z",
    "nvd_published_at": "2026-03-07T17:15:54Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter\u0027s audience configuration option is not set (`clientId` for Google/Apple, `appIds` for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server.\n\n- For Google and Apple, the vulnerability is exploitable when the server does not configure `clientId`. The adapters accepted this as valid and simply skipped audience validation.\n- For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated `appIds` only for Standard Login (Graph API), but the Limited Login JWT path never passed `appIds` as the audience to JWT verification.\n\n### Patches\n\nThe fix enforces `clientId` (Google/Apple) and `appIds` (Facebook) as mandatory and passes them to JWT verification for audience validation. While this is technically a breaking change for servers that omit these options, it is not a breaking change as per documentation \u2014 all three options are documented as required configuration.\n\n### Workarounds\n\n- Google / Apple: Ensure `clientId` is set in the adapter configuration. When set, JWT verification correctly validates the audience claim even on unpatched versions.\n- Facebook Limited Login: There is no workaround. The unpatched adapter does not pass `appIds` to JWT audience validation, so the only mitigation is to upgrade.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.11\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.10",
  "id": "GHSA-x6fw-778m-wr9v",
  "modified": "2026-03-09T17:42:22Z",
  "published": "2026-03-09T17:42:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.