Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dazy-p9qb-7qgk
Vulnerability ID VCID-dazy-p9qb-7qgk
Aliases CVE-2026-30949
GHSA-48mh-j4p5-7j9v
Summary Parse Server missing audience validation in Keycloak authentication adapter The Keycloak authentication adapter does not validate the `azp` (authorized party) claim of Keycloak access tokens against the configured `client-id`. A valid access token issued by the same Keycloak realm for a *different* client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-30949
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-30949
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-30949
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-48mh-j4p5-7j9v
cvssv4 7.6 https://github.com/parse-community/parse-server
generic_textual HIGH https://github.com/parse-community/parse-server
cvssv4 7.6 https://github.com/parse-community/parse-server/releases/tag/8.6.18
generic_textual HIGH https://github.com/parse-community/parse-server/releases/tag/8.6.18
ssvc Track https://github.com/parse-community/parse-server/releases/tag/8.6.18
cvssv4 7.6 https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
generic_textual HIGH https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
ssvc Track https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
cvssv3.1_qr HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
cvssv4 7.6 https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
generic_textual HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
cvssv4 7.6 https://nvd.nist.gov/vuln/detail/CVE-2026-30949
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-30949
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-30949
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/releases/tag/8.6.18
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
CVE-2026-30949 https://nvd.nist.gov/vuln/detail/CVE-2026-30949
GHSA-48mh-j4p5-7j9v https://github.com/advisories/GHSA-48mh-j4p5-7j9v
GHSA-48mh-j4p5-7j9v https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/releases/tag/8.6.18
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/ Found at https://github.com/parse-community/parse-server/releases/tag/8.6.18
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/ Found at https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-30949
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.14704
EPSS Score 0.00046
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:51:36.492413+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-30949.yml 38.6.0