Parse Server is an open-source backend platform that supports deployment on any Node.js infrastructure. It integrates with Keycloak for authentication via a dedicated adapter. In versions prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak adapter does not properly validate the 'azp' claim in access tokens. The 'azp' claim identifies the authorized party (client application) for which the token was issued. Without validating this claim against the configured client-id, the adapter accepts tokens issued for other client applications within the same Keycloak realm. This improper authentication (CWE-287) flaw allows an attacker possessing a valid access token for one client application to impersonate any user on the Parse Server that uses the Keycloak adapter, effectively enabling cross-application account takeover. The vulnerability affects all deployments using the Keycloak adapter with multi-client Keycloak realms. Exploitation requires possession of a valid token from the same realm but different client, which could be obtained through other means or compromised clients. The vulnerability impacts confidentiality and integrity by allowing unauthorized access to user accounts without requiring user interaction. The issue is addressed by validating the 'azp' claim against the expected client-id in the patched versions 9.5.2-alpha.5 and 8.6.18.

This vulnerability can lead to unauthorized access to user accounts across different client applications within the same Keycloak realm, resulting in cross-application account takeover. Attackers can impersonate legitimate users, potentially accessing sensitive data, performing unauthorized actions, or escalating privileges within the affected Parse Server environment. This compromises user confidentiality and integrity, and may lead to data breaches, fraud, or disruption of services. Organizations relying on parse-server with Keycloak in multi-client configurations face significant risk, especially if tokens can be obtained from other client applications. The lack of user interaction and low privilege requirements make exploitation feasible in network-accessible environments. The vulnerability could undermine trust in authentication mechanisms and expose critical backend services to attackers.

Organizations should immediately upgrade parse-server to versions 9.5.2-alpha.5 or later, or 8.6.18 or later, where the Keycloak adapter properly validates the 'azp' claim. Until upgrading, administrators should consider restricting Keycloak realms to single-client configurations to reduce risk or implement additional token validation logic at the application layer to verify the 'azp' claim against the expected client-id. Monitoring and logging authentication attempts for anomalies related to token usage across clients can help detect exploitation attempts. Additionally, ensure that access tokens are securely stored and transmitted to prevent token theft. Review Keycloak client configurations to minimize token sharing and enforce strict client isolation. Regularly audit and rotate tokens and credentials to limit the window of exposure. Finally, educate developers and administrators about the risks of multi-client realms without proper token validation.