CVE-2026-27804: Trust Issues: How a JWT Header Toppled Parse Server Authentication

Trust Issues: How a JWT Header Toppled Parse Server Authentication

Vulnerability ID: CVE-2026-27804
CVSS Score: 9.3
Published: 2026-02-25

A critical vulnerability in Parse Server's authentication adapters allows for complete Account Takeover (ATO) via JWT algorithm confusion. By trusting the 'alg' header in user-provided tokens, attackers can bypass signature verification using the 'none' algorithm or exploit key confusion attacks to impersonate any user on the platform without credentials.

TL;DR

Parse Server trusted the JWT header to tell it which cryptographic algorithm to use for verification. Attackers can set this to "none" or "HS256" to bypass authentication, allowing them to log in as any user (including admins) simply by knowing their email or user ID. Patch immediately to version 8.6.3 or 9.3.1-alpha.4.

---

⚠️ Exploit Status: POC

Technical Details

• CWE: CWE-327 (Broken Crypto Algorithm)
• CVSS v4.0: 9.3 (Critical)
• Attack Vector: Network (API)
• Privileges Required: None
• Impact: Account Takeover
• Exploit Status: PoC Available

Affected Systems

• Parse Server (NPM package)
• Applications using Parse Server with Google Auth Adapter
• Applications using Parse Server with Apple Auth Adapter
• Applications using Parse Server with Facebook Auth Adapter
• parse-server: < 8.6.3 (Fixed in: 8.6.3)
• parse-server: >= 9.0.0, < 9.3.1-alpha.4 (Fixed in: 9.3.1-alpha.4)

Code Analysis

Commit: 9b94083

Fix for Google/Apple auth adapter algorithm confusion

Diff showing removal of dynamic alg extraction and addition of hardcoded RS256

Commit: 9d5942d

Additional hardening for Facebook adapter

Hardcoded algorithms for Facebook graph API validation

Exploit Details

• GitHub Security Advisory: Advisory containing description of the JWT algorithm confusion attack vector.
• Parse Server Tests: Unit tests added in the fix demonstrate the 'alg: none' and key confusion logic.

Mitigation Strategies

• Upgrade Parse Server immediately.
• Disable third-party authentication adapters (Google, Apple, Facebook) if patching is not possible.
• Implement WAF rules to inspect JWT headers for 'alg': 'none' or 'alg': 'HS256' in auth endpoints.

Remediation Steps:

1. Check your package.json for parse-server.
2. If version is < 8.6.3, run npm install parse-server@8.6.3.
3. If version is 9.x < 9.3.1-alpha.4, upgrade to the latest alpha or roll back to stable 8.6.3.
4. Restart the Parse Server service.
5. Verify login functionality with valid tokens.

References

• GHSA-4q3h-vp4r-prv2
• Understanding JWT Algorithm Confusion

---

Read the full report for CVE-2026-27804 on our website for more details including interactive diagrams and full exploit analysis.