Home / Vulnerability Intelligence / CVE-2026-30949

CVE-2026-30949 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 11, 2026

Parse Server - Authentication Bypass

Published: March 10, 2026Updated: March 11, 2026Remote Exploitable

Overview

Parse Server < 9.5.2-alpha.5 and < 8.6.18 contains an authentication bypass caused by lack of azp claim validation in Keycloak adapter, letting attackers use tokens from other clients to authenticate as any user, exploit requires multi-client Keycloak realm.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can authenticate as any user across applications, enabling cross-application account takeover.

Mitigation

Update to versions 9.5.2-alpha.5 or 8.6.18 or later.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
https://github.com/parse-community/parse-server/releases/tag/8.6.18
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-30949
Severity: High
CVSS Score: 8.8
Type: broken_authentication
Status: confirmed

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H