The flaw in Parse Server allows an authenticated user to retrieve sensitive authentication information, including MFA TOTP secrets and recovery codes, from the /users/me endpoint. From a technical standpoint, the endpoint performs an internal query that uses master-level authentication, and the master context leaks into the returned user data, circumventing the normal sanitization performed by the auth adapter. This results in a classic credential exposure vulnerability, classified as CWE-200. An attacker who obtains a valid session token can permanently extract MFA secrets and generate valid TOTP codes, effectively enabling ongoing account takeover.

All publicly available releases of Parse Server prior to version 8.6.61 and 9.6.0‑alpha.55 are affected. The vulnerability applies to the open‑source Parse Server that can run on any Node.js‑capable infrastructure. The provided list of CPE identifiers confirms that all alpha releases and earlier stable releases fall under the scope, so any deployment using these versions must be evaluated.

The CVSS score of 7.1 reflects a medium‑to‑high impact, while the EPSS score below 1% indicates the chance of current exploitation is low. The vulnerability is not presently listed in CISA’s KEV catalog. Exploitation requires an attacker to possess a legitimate user’s session token, which can be obtained through credential compromise, phishing, or session hijacking. Once the token is held, the attacker can repeatedly call GET /users/me and harvest MFA secrets, gaining indefinite access to the victim’s account without further effort. Consequently, the risk profile combines confidentiality loss of secret credentials with potential long‑term unauthorized access.