Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.
Published: 2026-06-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

`/login` and `/verifyPassword` endpoints in Parse Server allow an attacker to retrieve raw `authData` for a user, including MFA TOTP secrets and recovery codes, as well as fields hidden by protectedFields. The flaw occurs when the re‑fetch of the `_User` through the normal access‑control pipeline is denied and the server falls back to the raw database row. With only a username and password, an attacker could obtain the second‑factor data, effectively bypassing MFA. The exposed data is highly sensitive as it can be used to compromise accounts or gain administrative access.

Affected Systems

This issue affects the open‑source Parse Server community edition (`parse-community:parse-server`). Versions from 9.8.0 up to, but not including, 9.9.1‑alpha.5 are vulnerable. All instances using MFA with a Class‑Level Permission that denies `get` on the `_User` class are at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Exploitation would likely occur over the public network via the exposed HTTP endpoints, requiring the attacker to know or guess a user’s password. If available, the attacker could then retrieve MFA secrets and defeat the second authentication factor. This makes the vulnerability relevant for environments that rely on MFA for account protection.

Generated by OpenCVE AI on June 12, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.9.1‑alpha.5 or later to apply the fix
  • If an upgrade is not possible immediately, restrict network access to the `/login` and `/verifyPassword` endpoints to trusted IP ranges or internal networks
  • Review Class‑Level Permissions on the `_User` class to ensure that unauthenticated `get` requests are denied
  • If MFA cannot be used until a patch is applied, consider disabling MFA for affected accounts temporarily

Generated by OpenCVE AI on June 12, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.
Title Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T03:27:16.713Z

Reserved: 2026-06-10T16:43:31.242Z

Link: CVE-2026-53725

cve-icon Vulnrichment

Updated: 2026-06-13T03:27:12.243Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:30.370

Modified: 2026-06-12T19:16:30.370

Link: CVE-2026-53725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:45:27Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor