Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-30863

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Back to all
CVE

CVE-2026-30863

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Impact

The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server.

  • For Google and Apple, the vulnerability is exploitable when the server does not configure clientId. The adapters accepted this as valid and simply skipped audience validation.
  • For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated appIds only for Standard Login (Graph API), but the Limited Login JWT path never passed appIds as the audience to JWT verification.

Patches

The fix enforces clientId (Google/Apple) and appIds (Facebook) as mandatory and passes them to JWT verification for audience validation. While this is technically a breaking change for servers that omit these options, it is not a breaking change as per documentation — all three options are documented as required configuration.

Workarounds

  • Google / Apple: Ensure clientId is set in the adapter configuration. When set, JWT verification correctly validates the audience claim even on unpatched versions.
  • Facebook Limited Login: There is no workaround. The unpatched adapter does not pass appIds to JWT audience validation, so the only mitigation is to upgrade.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.11
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.10

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
9.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v, https://nvd.nist.gov/vuln/detail/CVE-2026-30863, https://github.com/parse-community/parse-server

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0.00066%
EPSS Percentile
0.20247%
Introduced Version
9.0.0-alpha.1,5.0.0-alpha.1,4.5.1,4.3.0,3.5.0
Fix Available
9.5.0-alpha.11,8.6.10

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading