What is the CVSS score of CVE-2026-27804?

CVE-2026-27804 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-27804?

This critical vulnerability allows attackers to impersonate any user with Google authentication without credentials, potentially compromising user accounts and sensitive data across all Parse Server…. A patch is available.

Node.js CVE-2026-27804

CRITICAL

Use of a Broken or Risky Cryptographic Algorithm (CWE-327)

2026-02-26 security-advisories@github.com

GHSA-4q3h-vp4r-prv2

Node.js Parse Server

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch released

Mar 04, 2026 - 03:09 nvd

Patch available

CVE Published

Feb 26, 2026 - 00:16 nvd

CRITICAL 9.1

DescriptionNVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected RS256 algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with jwks-rsa which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible.

AnalysisAI

Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.

RemediationAI

Within 24 hours: Identify all Parse Server instances with Google authentication enabled and assess exposure. Within 7 days: Apply vendor patches (versions 8.6.3 or 9.1.1-alpha.4 or later) to all affected systems and validate JWT algorithm enforcement is set to RS256. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-27804 vulnerability details – vuln.today

Back

Node.js CVE-2026-27804

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code