CVE-2026-27804
Published: 26 February 2026
Summary
CVE-2026-27804 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the specific software flaw allowing forged JWT tokens with 'none' algorithm in Parse Server.
Ensures authenticators like Google JWT tokens have sufficient strength of mechanism to reject weak algorithms such as 'none' and improper key validation.
Mandates cryptographic mechanisms that prohibit risky algorithms and enforce proper key management, addressing the JWT algorithm confusion and custom key fetcher flaws.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote JWT algorithm confusion flaw directly enables exploitation of a public-facing Parse Server instance (T1190) and subsequent impersonation/abuse of valid application user accounts without credentials (T1078).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as…
more
any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.
Deeper analysisAI
CVE-2026-27804 is a critical vulnerability in Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 8.6.3 and 9.1.1-alpha.4, the Google authentication mechanism fails to properly validate JWT algorithms, allowing an unauthenticated attacker to forge a Google authentication token by setting the `alg` parameter to `"none"`. This flaw affects all deployments with Google authentication enabled, stemming from CWE-327 (Broken or Risky Cryptographic Algorithm) and CWE-345 (Insufficient Verification of Data Authenticity), with a CVSS v3.1 base score of 9.1.
An unauthenticated attacker can exploit this remotely over the network with low complexity and no privileges or user interaction required. By crafting a malicious JWT token claiming Google origin but using the none algorithm, the attacker can impersonate any user linked to a Google account without knowing their credentials, gaining unauthorized access to that user's data and actions within the Parse Server application.
Mitigation requires upgrading to Parse Server versions 8.6.3 or 9.1.1-alpha.4, which enforce the `RS256` algorithm instead of trusting the JWT header and replace the custom Google key fetcher with the `jwks-rsa` library that rejects unknown key IDs. As a temporary workaround, disable Google authentication until patching is feasible. Relevant details are documented in the Parse Server security advisory (GHSA-4q3h-vp4r-prv2) and release notes for the fixed versions.
Details
- CWE(s)