{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32269", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.398Z", "datePublished": "2026-03-12T19:43:23.632Z", "dateUpdated": "2026-03-13T16:11:21.212Z"}, "containers": {"cna": {"title": "Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-683", "lang": "en", "description": "CWE-683: Function Call With Incorrect Order of Arguments", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.39", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0, < 9.6.0-alpha.13", "status": "affected"}, {"version": ">= 8.0.2, < 8.6.39", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:43:23.632Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39."}], "source": {"advisory": "GHSA-69xg-f649-w5g2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:11:12.313618Z", "id": "CVE-2026-32269", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:11:21.212Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32269", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:11:12.313618Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:11:17.804Z"}}], "cna": {"title": "Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint", "source": {"advisory": "GHSA-69xg-f649-w5g2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0, < 9.6.0-alpha.13"}, {"status": "affected", "version": ">= 8.0.2, < 8.6.39"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39", "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.39", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13", "name": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-683", "description": "CWE-683: Function Call With Incorrect Order of Arguments"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:43:23.632Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32269", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:11:21.212Z", "dateReserved": "2026-03-11T15:05:48.398Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T19:43:23.632Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CECFEEC1-0DBC-45AC-817A-B53D4F80E0C9", "versionEndExcluding": "8.6.39", "versionStartIncluding": "8.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A", "versionEndExcluding": "9.6.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*", "matchCriteriaId": "B84C28F8-AADE-41BB-A0EF-B701AB57DC3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "EDC98AF7-8620-4A25-9BE5-623672599677", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "DF340605-8CC8-4543-9F5D-E8602D258CED", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "A052DFCA-EDCC-43D7-82C7-E5311F6F7687", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "12B11714-B961-4330-B241-FC5AF94FDBE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "37A7C42B-4986-4BB6-BB27-0324A9AA1CFF", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "C793834B-64B4-4DE9-BD7D-79B52C30C34E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "7AD455C8-88BE-4A0A-B33D-3A7811FFB753", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "26C475A2-997C-4C3A-8CB6-04AB3534BBC3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.6.0-alpha.13 y 8.6.39, el adaptador de autenticaci\u00f3n OAuth2 no valida correctamente los ID de aplicaci\u00f3n cuando appidField y appIds est\u00e1n configurados. Durante la validaci\u00f3n del ID de aplicaci\u00f3n, se env\u00eda un valor malformado al endpoint de introspecci\u00f3n de tokens en lugar del token de acceso real del usuario. Dependiendo del comportamiento del endpoint de introspecci\u00f3n, esto podr\u00eda causar que todos los inicios de sesi\u00f3n de OAuth2 fallen, o permitir la autenticaci\u00f3n desde contextos de aplicaci\u00f3n no permitidos si el endpoint devuelve datos de apariencia v\u00e1lida para la solicitud malformada. Las implementaciones que utilizan el adaptador OAuth2 con appidField y appIds configurados se ven afectadas. Esta vulnerabilidad est\u00e1 corregida en 9.6.0-alpha.13 y 8.6.39."}], "id": "CVE-2026-32269", "lastModified": "2026-03-13T18:59:01.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-12T20:16:06.187", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-683"}], "source": "[email protected]", "type": "Primary"}]}

{}