Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 78ef1a1
Author: Manuel
Date: 2026-03-08T03:50:10Z
Commit Message
fix: Missing audience validation in Keycloak authentication adapter ([GHSA-48mh-j4p5-7j9v](https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v)) (#10137)
Pull Request
PR: #10137 - fix: Missing audience validation in Keycloak authentication adapter (GHSA-48mh-j4p5-7j9v)
Labels: state:released-alpha
Description:
Pull Request
Issue
Missing audience validation in Keycloak authentication adapter ([GHSA-48mh-j4p5-7j9v](GHSA-48mh-j4p5-7j9v))
Tasks
<!-- Check completed tasks and delete tasks that don't a...
Analysis
Vulnerability Type: Authentication Bypass
Severity: High
Description
The patch fixes a missing audience ('azp' claim) validation in the Keycloak authentication adapter. Without verifying that the token is intended for this client, an attacker could supply a token issued for a different client and gain unauthorized access. The patch enforces that the 'azp' claim in the JWT matches the configured 'client-id', thus preventing authentication bypass.
Affected Code
/* Before patch, no audience validation in validateAuthData */
// Token verified but 'azp' claim (audience) was not checked against client-id
// Example conceptual snippet:
jwt.verify(token, key);
// Accept token without checking jwtClaim.azp === clientId
// Allow authentication to proceed if signature and issuer are valid
Proof of Concept
1. Obtain or craft a valid JWT access token from Keycloak issued for a different client-id (e.g., 'other-app') but valid issuer.
2. Use this token with the vulnerable Keycloak adapter (e.g., set 'access_token' to this JWT).
3. Because the adapter does not verify the 'azp' (audience) claim, it accepts the token.
4. As a result, an attacker can authenticate as a different client, bypassing client restrictions.
Example:
{
iss: 'https://auth.example.com/realms/my-realm',
azp: 'other-app', // different client-id
sub: 'victim-user',
exp: future_timestamp
}
Send this token to the Parse Server Keycloak adapter; authentication succeeds incorrectly.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T06:00:29.470Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 78ef1a1
Author: Manuel
Date: 2026-03-08T03:50:10Z
Commit Message
Pull Request
PR: #10137 - fix: Missing audience validation in Keycloak authentication adapter (GHSA-48mh-j4p5-7j9v)
Labels: state:released-alpha
Description:
Pull Request
Issue
Missing audience validation in Keycloak authentication adapter ([GHSA-48mh-j4p5-7j9v](GHSA-48mh-j4p5-7j9v))
Tasks
<!-- Check completed tasks and delete tasks that don't a...
Analysis
Vulnerability Type: Authentication Bypass
Severity: High
Description
The patch fixes a missing audience ('azp' claim) validation in the Keycloak authentication adapter. Without verifying that the token is intended for this client, an attacker could supply a token issued for a different client and gain unauthorized access. The patch enforces that the 'azp' claim in the JWT matches the configured 'client-id', thus preventing authentication bypass.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T06:00:29.470Z