Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
GHSA-69xg-f649-w5g2 · BIT-parse-2026-32269 · CVE-2026-32269
Published · Modified
Description
Impact
The OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.
Deployments using the OAuth2 adapter with appidField and appIds configured are affected.
Patches
The fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.
Workarounds
There is no known workaround.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2
- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32269
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.39
- WEB https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
Ready to move
Start Securing
Free, no credit card | First findings in minutes