{"id":"GHSA-48mh-j4p5-7j9v","summary":"Parse Server missing audience validation in Keycloak authentication adapter","details":"### Impact\n\nThe Keycloak authentication adapter does not validate the `azp` (authorized party) claim of Keycloak access tokens against the configured `client-id`. A valid access token issued by the same Keycloak realm for a *different* client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms.\n\nAll Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected.\n\n### Patches\n\nThe fix replaces the userinfo HTTP call with local JWT verification and enforces `azp` claim validation against the configured `client-id`.\n\n### Workarounds\n\nNone.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.18","aliases":["BIT-parse-2026-30949","CVE-2026-30949"],"modified":"2026-03-14T03:41:20.465089Z","published":"2026-03-11T00:17:53Z","database_specific":{"github_reviewed_at":"2026-03-11T00:17:53Z","severity":"HIGH","nvd_published_at":"2026-03-10T21:16:47Z","cwe_ids":["CWE-287"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30949"},{"type":"PACKAGE","url":"https://github.com/parse-community/parse-server"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/releases/tag/8.6.18"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5"}],"affected":[{"package":{"name":"parse-server","ecosystem":"npm","purl":"pkg:npm/parse-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.0.0"},{"fixed":"9.5.2-alpha.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-48mh-j4p5-7j9v/GHSA-48mh-j4p5-7j9v.json"}},{"package":{"name":"parse-server","ecosystem":"npm","purl":"pkg:npm/parse-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.6.18"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-48mh-j4p5-7j9v/GHSA-48mh-j4p5-7j9v.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}