CVE-2026-30863 - Vulnerability Analysis

Overview

Parse Server prior to 8.6.10 and 9.5.0-alpha.11 contains a broken authentication caused by missing audience claim validation in JWT verification for Google, Apple, and Facebook adapters, letting attackers authenticate as any user using JWTs from other applications, exploit requires misconfigured audience option.

Severity & Score

Impact

Attackers can authenticate as any user using JWTs issued for different applications, leading to unauthorized access.

Mitigation

Update to versions 8.6.10 or 9.5.0-alpha.11 or later.

References

• https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 8, 2026

🚨 CRITICAL: parse-server (<8.6.10, <9.5.0-alpha.11) has CWE-287 improper authentication (CVE-2026-30863). JWT audience check skipped by default; attackers can impersonate users. Patch or set audience now. https://radar.offseq.com/threat/cve-2026-30863-cwe-287-improper-authentication-in--0b463399 #OffSeq #CVE202630863 #ParseServer #infosec

View original post

GitHub Repositories(1 repo)

• https://github.com/Worthes/CVE-2026-30863-Exploit

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner