CVE-2026-30863: Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter’s audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server.

• For Google and Apple, the vulnerability is exploitable when the server does not configure clientId. The adapters accepted this as valid and simply skipped audience validation.
• For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated appIds only for Standard Login (Graph API), but the Limited Login JWT path never passed appIds as the audience to JWT verification.