Home / Vulnerability Intelligence / CVE-2026-30863

CVE-2026-30863 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 10, 2026

Parse Server - Authentication Bypass

Published: March 7, 2026Updated: March 10, 2026PoC AvailableRemote Exploitable

Overview

Parse Server prior to 8.6.10 and 9.5.0-alpha.11 contains a broken authentication caused by missing audience claim validation in JWT verification for Google, Apple, and Facebook adapters, letting attackers authenticate as any user using JWTs from other applications, exploit requires misconfigured audience option.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 7.1%(Probability of exploitation in next 30 days)

Impact

Attackers can authenticate as any user using JWTs issued for different applications, leading to unauthorized access.

Mitigation

Update to versions 8.6.10 or 9.5.0-alpha.11 or later.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 10, 2026

🔴 CVE-2026-30863 - Critical (9.8) Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30863/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/Worthes/CVE-2026-30863-Exploit

Related Resources

Details

CVE ID: CVE-2026-30863
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: confirmed
EPSS: 7.1%
Social Posts: 1

CWE

CWE-287
CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

7.1%Probability of exploitation in the next 30 days