VYPR
Critical severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026

Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

CVE-2026-27804

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected RS256 algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with jwks-rsa which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
parse-servernpm
>= 9.0.0, < 9.3.1-alpha.49.3.1-alpha.4
parse-servernpm
< 8.6.38.6.3

Affected products

3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.