CVE-2026-27804

Summary

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected RS256 algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with jwks-rsa which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.

Affected Software

VendorProductVersion RangeStatus
parse-communityparse-server>= 9.0.0, < 9.3.1-alpha.4affected
parse-communityparse-server< 8.6.3affected

Weaknesses

  • CWE-327: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-345: CWE-345: Insufficient Verification of Data Authenticity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References