CVE-2026-27804
CRITICALParse Server <8.6.3/9.1.1-alpha.4 - Auth Bypass
Title source: llmDescription
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.
Scores
CVSS v3
9.1
EPSS
0.0003
EPSS Percentile
9.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Classification
CWE
CWE-327
CWE-345
Status
published
Affected Products (5)
npm/parse-server
< 9.3.1-alpha.4npm
parseplatform/parse-server
< 8.6.3
parseplatform/parse-server
parseplatform/parse-server
parseplatform/parse-server
Timeline
Published
Feb 26, 2026
Tracked Since
Feb 26, 2026