{"id":"GHSA-69xg-f649-w5g2","summary":"Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint","details":"### Impact\n\nThe OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.\n\nDeployments using the OAuth2 adapter with `appidField` and `appIds` configured are affected.\n\n### Patches\n\nThe fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2\n- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13\n- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39","aliases":["BIT-parse-2026-32269","CVE-2026-32269"],"modified":"2026-03-16T10:40:56.912017Z","published":"2026-03-13T20:02:25Z","database_specific":{"cwe_ids":["CWE-683"],"severity":"MODERATE","github_reviewed_at":"2026-03-13T20:02:25Z","github_reviewed":true,"nvd_published_at":"2026-03-12T20:16:06Z"},"references":[{"type":"WEB","url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32269"},{"type":"PACKAGE","url":"https://github.com/parse-community/parse-server"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/releases/tag/8.6.39"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13"}],"affected":[{"package":{"name":"parse-server","ecosystem":"npm","purl":"pkg:npm/parse-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.0.0"},{"fixed":"9.6.0-alpha.13"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-69xg-f649-w5g2/GHSA-69xg-f649-w5g2.json"}},{"package":{"name":"parse-server","ecosystem":"npm","purl":"pkg:npm/parse-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"8.0.2"},{"fixed":"8.6.39"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-69xg-f649-w5g2/GHSA-69xg-f649-w5g2.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}