UNKNOWN npm
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
GHSA-4q3h-vp4r-prv2 · BIT-parse-2026-27804 · CVE-2026-27804
Published · Modified
Description
Impact
An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected.
Patches
The fix hardcodes the expected RS256 algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with jwks-rsa which rejects unknown key IDs.
Workarounds
Disable Google authentication until you can upgrade.
References
- GitHub advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2
- Fixed in Parse Server 9.3.1-alpha.4: https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4
- Fixed in Parse Server 8.6.3: https://github.com/parse-community/parse-server/releases/tag/8.6.3
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-27804
- WEB https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7
- WEB https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.3
- WEB https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4
Ready to move
Start Securing
Free, no credit card | First findings in minutes