Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.
Published: 2026-03-31
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Data exposure of authentication secrets
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies within the verify password endpoint of Parse Server: when a user’s credentials are validated, the endpoint returns unsanitized authentication data that includes MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who possesses a user’s password can extract the MFA secret and generate valid one‑time codes, thereby bypassing multi‑factor authentication and gaining unauthorized access to the account.

Affected Systems

Parse Community’s Parse Server, which runs on Node.js, is affected. All versions released before 8.6.63 and before 9.7.0‑alpha.7 contain the vulnerability. This includes every prior minor and release candidate build of Parse Server.

Risk and Exploitability

The problem carries a high severity rating of 8.2, yet the estimated likelihood of exploitation is below 1%. It is not listed in the CISA KEV catalog. Attackers must first obtain a victim’s password through phishing, credential stuffing, or other means. Once authenticated, they can retrieve the MFA secret and use it to produce valid MFA codes, effectively undermining the second factor and compromising the target account.

Generated by OpenCVE AI on April 2, 2026 at 04:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.63 or later, or 9.7.0‑alpha.7 or later, to apply the patch.
  • If an upgrade cannot be performed immediately, disable or restrict the verify password endpoint to prevent disclosure of sensitive authentication data.

Generated by OpenCVE AI on April 2, 2026 at 04:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wp76-gg32-8258 Parse Server exposes auth data via verify password endpoint
History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.
Title Parse Server: Auth data exposed via verify password endpoint
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:24:14.183Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34215

cve-icon Vulnrichment

Updated: 2026-04-03T16:24:09.145Z

cve-icon NVD

Status : Modified

Published: 2026-03-31T20:16:29.013

Modified: 2026-04-03T17:16:43.630

Link: CVE-2026-34215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:11:00Z

Weaknesses