CVE-2026-32242
Published: 12 March 2026
Summary
CVE-2026-32242 is a high-severity Race Condition (CWE-362) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.
Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition enables auth bypass in public-facing Parse Server OAuth2 adapter, directly supporting T1190 for remote exploitation and T1078 for resulting account impersonation/unauthorized access.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2…
more
provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the oauth2: true flag are affected. This vulnerability is fixed in 9.6.0-alpha.11 and 8.6.37.
Deeper analysisAI
CVE-2026-32242 is a race condition vulnerability (CWE-362) in Parse Server, an open source backend deployable on any Node.js infrastructure. The issue affects the built-in OAuth2 authentication adapter, which exports a singleton instance reused across all OAuth2 provider configurations. In versions prior to 9.6.0-alpha.11 and 8.6.37, concurrent authentication requests for different OAuth2 providers can cause one provider's token validation to execute using another provider's configuration. This may allow a token that should be rejected by its intended provider to be accepted due to validation against a different provider's policy. Only deployments configuring multiple OAuth2 providers via the oauth2: true flag are affected. The vulnerability has a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability over the network without authentication privileges by timing concurrent authentication requests across multiple OAuth2 providers. Under race conditions, they could supply a token valid under one provider's lenient policy but intended for a stricter one, tricking the server into accepting it. Successful exploitation enables high-impact confidentiality and integrity violations, such as unauthorized access to user accounts or data by impersonating legitimate users.
The Parse Server security advisory (GHSA-2cjm-2gwv-m892) and release notes for versions 8.6.37 and 9.6.0-alpha.11 detail the fix, which addresses the singleton reuse issue in the OAuth2 adapter. Security practitioners should upgrade to Parse Server 9.6.0-alpha.11 or later (for the 9.x branch) or 8.6.37 or later (for the 8.x branch) and review configurations to ensure multiple OAuth2 providers are necessary, minimizing exposure.
Details
- CWE(s)