CVE-2026-32242 is a race condition vulnerability classified under CWE-362 affecting the parse-community parse-server, an open-source backend platform running on Node.js. The root cause is the export of a singleton OAuth2 auth adapter instance shared across all OAuth2 provider configurations. When multiple OAuth2 providers are configured concurrently (via the oauth2: true flag), simultaneous authentication requests can cause token validation logic to cross-contaminate between providers. Specifically, a token intended for one OAuth2 provider might be validated against another provider's configuration, which could result in acceptance of tokens that should be rejected. This improper synchronization arises from concurrent execution using shared resources without adequate locking or isolation. The vulnerability affects parse-server versions >= 9.0.0 and < 9.6.0-alpha.11, and versions below 8.6.37. The CVSS 4.0 score is 9.1 (critical), reflecting network attack vector, high attack complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. The flaw can lead to unauthorized access by bypassing OAuth2 token validation policies. The issue has been fixed in versions 9.6.0-alpha.11 and 8.6.37. No public exploits have been reported yet, but the severity and nature of the flaw make it a high-risk vulnerability for affected deployments.

This vulnerability can have severe consequences for organizations using parse-server with multiple OAuth2 providers. By allowing tokens to be validated against incorrect provider configurations, attackers could gain unauthorized access to protected resources, impersonate users, or escalate privileges across different OAuth2 domains. This undermines the integrity and confidentiality of authentication processes, potentially exposing sensitive user data and backend services. Since parse-server is used as a backend for various applications, including mobile and web apps, exploitation could lead to widespread unauthorized access and data breaches. The network-exploitable nature and lack of required privileges mean attackers can attempt exploitation remotely without prior access. Organizations relying on OAuth2 for secure authentication are particularly at risk, and the vulnerability could impact compliance with data protection regulations if exploited.

Organizations should immediately upgrade parse-server to version 9.6.0-alpha.11 or later, or 8.6.37 or later, where the race condition has been fixed. Until upgrades are applied, deployments should avoid configuring multiple OAuth2 providers simultaneously with the oauth2: true flag to reduce exposure. Implementing additional application-level synchronization or request serialization around OAuth2 token validation may help mitigate concurrent execution issues temporarily. Security teams should audit OAuth2 configurations and monitor authentication logs for anomalies indicating token validation inconsistencies. Employing runtime application self-protection (RASP) or Web Application Firewalls (WAFs) with custom rules to detect unusual OAuth2 token usage patterns can provide additional defense. Finally, ensure that all dependencies and third-party libraries are kept up to date and conduct regular security testing focused on authentication mechanisms.