CVE-2026-32269
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
Description
### Impact The OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with `appidField` and `appIds` configured are affected. ### Patches The fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint. ### Workarounds There is no known workaround. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2 - Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13 - Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39
How to fix CVE-2026-32269
To remediate CVE-2026-32269, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.39 or later
- —upgrade to 9.6.0-alpha.13 or later
Is CVE-2026-32269 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 8.0.2, < 8.6.39, >= 9.0.0, < 9.6.0
- >= 9.0.0, < 9.6.0-alpha.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |