Home / Vulnerability Intelligence / CVE-2026-30967

CVE-2026-30967 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 11, 2026

Parse Server - Authentication Bypass

Published: March 10, 2026Updated: March 11, 2026Remote Exploitable

Overview

Parse Server < 9.5.2-alpha.9 and < 8.6.22 contains an authentication bypass caused by missing useridField verification in OAuth2 adapter, letting attackers authenticate as any user with a valid token, exploit requires OAuth2 token from same provider.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can authenticate as any user with a valid OAuth2 token, leading to unauthorized access.

Mitigation

Upgrade to versions 9.5.2-alpha.9 or 8.6.22 or later.

References

https://github.com/parse-community/parse-server/releases/tag/8.6.22
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9
https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-30967
Severity: High
CVSS Score: 8.8
Type: broken_authentication
Status: confirmed

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H