Summary
Workarounds
- Google / Apple: Ensure
clientIdis set in the adapter configuration. When set, JWT verification correctly validates the audience claim even on unpatched versions. - Facebook Limited Login: There is no workaround. The unpatched adapter does not pass
appIdsto JWT audience validation, so the only mitigation is to upgrade.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.11
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.10
Impact
The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server.
- For Google and Apple, the vulnerability is exploitable when the server does not configure
clientId. The adapters accepted this as valid and simply skipped audience validation. - For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated
appIdsonly for Standard Login (Graph API), but the Limited Login JWT path never passedappIdsas the audience to JWT verification.
The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The fix enforces clientId (Google/Apple) and appIds (Facebook) as mandatory and passes them to JWT verification for audience validation. While this is technically a breaking change for servers that omit these options, it is not a breaking change as per documentation, all three options are documented as required configuration.
Frequently Asked Questions
- What is CVE-2026-30863? CVE-2026-30863 is a critical-severity improper authentication vulnerability in parse-server (npm), affecting versions >= 9.0.0-alpha.1, < 9.5.0-alpha.11. It is fixed in 9.5.0-alpha.11, 8.6.10. The application does not adequately verify the identity of a user, device, or process before granting access.
- Which versions of parse-server are affected by CVE-2026-30863? parse-server (npm) versions >= 9.0.0-alpha.1, < 9.5.0-alpha.11 is affected.
- Is there a fix for CVE-2026-30863? Yes. CVE-2026-30863 is fixed in 9.5.0-alpha.11, 8.6.10. Upgrade to this version or later.
- Is CVE-2026-30863 exploitable, and should I be worried? Whether CVE-2026-30863 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-30863 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-30863?
- Upgrade
parse-serverto 9.5.0-alpha.11 or later - Upgrade
parse-serverto 8.6.10 or later
- Upgrade