CVE-2026-30949
Published: 10 March 2026
Summary
CVE-2026-30949 is a high-severity Improper Authentication (CWE-287) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-13 (Identity Providers and Authorization Servers).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by identifying, reporting, and applying the vendor-released patches (8.6.18 or 9.5.2-alpha.5) that enforce azp claim validation in the Keycloak adapter.
Ensures proper selection, configuration, and monitoring of authorization servers like Keycloak to validate token claims such as azp against the client-id, preventing cross-client token misuse.
Enforces approved access authorizations by requiring validation of token claims like azp, blocking impersonation attempts via tokens from other clients in the same realm.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass (missing azp validation) in public-facing Parse Server directly enables remote exploitation of the application and subsequent impersonation/abuse of valid user accounts for cross-app takeover.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against…
more
the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18.
Deeper analysisAI
CVE-2026-30949 affects Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. The vulnerability resides in the Keycloak authentication adapter, which prior to versions 9.5.2-alpha.5 and 8.6.18 fails to validate the 'azp' (authorized party) claim in Keycloak access tokens against the configured client-id. This flaw, classified under CWE-287 (Improper Authentication), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). All Parse Server deployments using the Keycloak adapter within a multi-client Keycloak realm are impacted.
An attacker with low privileges, such as a legitimate user of another client application in the same Keycloak realm, can exploit this over the network with low complexity and no user interaction required. By obtaining a valid access token issued for their own client application, the attacker can impersonate any user on the target Parse Server instance, enabling cross-application account takeover. This grants high-impact confidentiality, integrity, and availability compromises, potentially allowing full control over victim accounts.
The Parse Server security advisory (GHSA-48mh-j4p5-7j9v) and release notes for versions 8.6.18 and 9.5.2-alpha.5 confirm the fix, which enforces proper 'azp' claim validation against the client-id. Security practitioners should upgrade affected deployments immediately to these versions and review Keycloak realm configurations for multi-client setups.
Details
- CWE(s)