CVE-2026-34215
Severity CVSS v4.0:
HIGH
Type:
CWE-200
Information Leak / Disclosure
Publication date:
31/03/2026
Last modified:
01/04/2026
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.
Impact
Base Score 4.0
8.20
Severity 4.0
HIGH
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* | 8.6.63 (excluding) | |
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* | 9.0.0 (including) | 9.7.0 (excluding) |
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
- https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c
- https://github.com/parse-community/parse-server/pull/10323
- https://github.com/parse-community/parse-server/pull/10324
- https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258