Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | >= 8.0.2, < 8.6.39 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/releases/tag/8.6.39Release Notes
- https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13Release Notes
- https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f6Vendor Advisory
FAQ
What is CVE-2026-32269?
CVE-2026-32269 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validat...
How severe is CVE-2026-32269?
CVE-2026-32269 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32269?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.