CVE-2026-34215
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-200
Revelación de información
Fecha de publicación:
31/03/2026
Última modificación:
01/04/2026
Descripción
*** Pendiente de traducción *** Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.
Impacto
Puntuación base 4.0
8.20
Gravedad 4.0
ALTA
Puntuación base 3.x
6.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* | 8.6.63 (excluyendo) | |
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* | 9.0.0 (incluyendo) | 9.7.0 (excluyendo) |
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:* | ||
| cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
- https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c
- https://github.com/parse-community/parse-server/pull/10323
- https://github.com/parse-community/parse-server/pull/10324
- https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258