How to fix CVE-2026-30949?

Within 24 hours: Identify all Parse Server instances using Keycloak authentication and assess exposure scope. Within 7 days: Apply patches to all affected systems (upgrade to 9.5.2-alpha.5 or 8.6.18+). Within 30 days: Conduct security audit of access logs and Keycloak token usage during the vulnerability window to detect any exploitation attempts.

Is Node.js affected by CVE-2026-30949?

Parse Server instances using Keycloak authentication are vulnerable to token forgery attacks that could allow unauthorized access to backend systems and data.

CVE-2026-30949

HIGH

2026-03-10 [email protected]

GHSA-48mh-j4p5-7j9v

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch Released

Mar 11, 2026 - 19:40 nvd

Patch available

CVE Published

Mar 10, 2026 - 21:16 nvd

HIGH 8.8

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18.

Analysis

Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. …

Remediation

Within 24 hours: Identify all Parse Server instances using Keycloak authentication and assess exposure scope. Within 7 days: Apply patches to all affected systems (upgrade to 9.5.2-alpha.5 or 8.6.18+). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-30949 vulnerability details – vuln.today

Back

CVE-2026-30949

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-30949

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code