GHSA-48MH-J4P5-7J9V Parse Server missing audience validation in Keycloak authentication adapter

Impact The Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse...

Parse Server missing audience validation in Keycloak authentication adapter

Impact The Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse...

CVE-2026-30949

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

CVE-2026-30949

CVE-2026-30949 affects Parse Server deployments using the Keycloak authentication adapter. The issue is that the azp (authorized party) claim in Keycloak access tokens is not validated against the configured client-id, enabling a valid token from one client to authenticate as any user on Parse Se...

PT-2026-24427

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.5 Parse Server versions prior to 8.6.18 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its Keycloak authentication adapter. Specifically, th...