Parse Server is an open-source backend platform that supports OAuth2 authentication via a generic adapter. In affected versions (>= 9.0.0 and < 9.5.2-alpha.9, and < 8.6.22), when the OAuth2 adapter is used without the useridField option configured, the authentication process only validates that the OAuth2 token is active by querying the provider's token introspection endpoint. However, it fails to verify that the token actually belongs to the user identified by authData.id. This improper authentication (CWE-287) allows an attacker who possesses any valid OAuth2 token issued by the same provider to impersonate any other user in the system, bypassing intended access controls. The vulnerability arises because the adapter trusts token validity without correlating token ownership to the claimed user identity. Exploitation requires possession of a valid OAuth2 token from the same provider but does not require user interaction or elevated privileges beyond token possession. The vulnerability affects any deployment using the generic OAuth2 adapter without useridField configured, which is a common setup. The issue was addressed and fixed in parse-server versions 9.5.2-alpha.9 and 8.6.22 by enforcing proper token ownership verification. No known exploits are reported in the wild as of publication. The CVSS 4.0 score is 7.6 (high), reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality and integrity.

This vulnerability allows attackers to impersonate any user within affected parse-server deployments by using any valid OAuth2 token from the same provider, effectively bypassing authentication controls. The impact includes unauthorized access to sensitive user data, potential data leakage, privilege escalation, and undermining trust in the authentication system. Organizations relying on parse-server for user authentication and authorization risk exposure of confidential information and unauthorized actions performed under compromised user identities. This can lead to data breaches, compliance violations, and reputational damage. Since parse-server is used globally in various applications, the scope of impact can be broad, especially for deployments that have not configured useridField or have not upgraded to patched versions. The ease of exploitation is moderate due to the need for a valid OAuth2 token, but token theft or reuse scenarios are common in real-world attacks, increasing risk. The vulnerability does not affect availability but severely impacts confidentiality and integrity of user accounts.

1. Upgrade all parse-server deployments to version 9.5.2-alpha.9 or later, or 8.6.22 or later, where the vulnerability is fixed. 2. If upgrading immediately is not possible, ensure that the OAuth2 authentication adapter is configured with the useridField option correctly set to enforce token ownership verification. 3. Review OAuth2 token issuance and storage policies to minimize token leakage or misuse. 4. Implement additional monitoring and anomaly detection for suspicious authentication activities, such as token reuse across different user accounts. 5. Conduct thorough audits of user authentication logs to detect potential unauthorized access. 6. Educate developers and administrators on secure OAuth2 configuration practices within parse-server. 7. Consider implementing multi-factor authentication (MFA) to reduce risk from token compromise. 8. Regularly review and update dependencies and third-party components to incorporate security patches promptly.