CVE-2026-32242: CVE-2026-32242: Authentication Bypass via Race Condition in Parse Server OAuth2 Adapter

#security #cve #cybersecurity

CVE-2026-32242: Authentication Bypass via Race Condition in Parse Server OAuth2 Adapter

Vulnerability ID: CVE-2026-32242
CVSS Score: 9.1
Published: 2026-03-12

Parse Server versions prior to 8.6.37 and 9.6.0-alpha.11 contain a critical race condition in the built-in OAuth2 authentication adapter. Concurrent authentication requests across different OAuth2 providers can overwrite shared configuration state, leading to authentication bypass and unauthorized account access.

TL;DR

A race condition in Parse Server's OAuth2 adapter allows attackers to bypass authentication and access unauthorized accounts by exploiting a shared singleton configuration instance during concurrent login requests.

Technical Details

Vulnerability Type: Race Condition (CWE-362)
CVSS Score: 9.1 (Critical)
Attack Vector: Network (AV:N)
Attack Complexity: High (AC:H)
Privileges Required: None (PR:N)
User Interaction: None (UI:N)
Exploit Status: Unpublished

Affected Systems

Parse Server
Parse Server: < 8.6.37 (Fixed in: 8.6.37)
Parse Server: >= 9.0.0, < 9.6.0-alpha.11 (Fixed in: 9.6.0-alpha.11)

Mitigation Strategies

Upgrade Parse Server to a patched version (8.6.37 or 9.6.0-alpha.11).
Disable unused or non-essential OAuth2 providers to reduce attack surface.
Implement rate limiting on authentication endpoints to disrupt timing-based attacks.
Monitor authentication logs for concurrent requests targeting different providers from the same source.

Remediation Steps:

Identify the current version of Parse Server in the deployment.
Update package dependencies in package.json to reference Parse Server version 8.6.37 or 9.6.0-alpha.11.
Run 'npm install' or 'yarn install' to fetch the updated packages.
Restart the Parse Server application to load the patched components.
Verify that OAuth2 authentication continues to function correctly across all active providers.