Skip to main content

CVE-2026-34215

HIGH
Information Exposure (CWE-200)
2026-03-29 https://github.com/parse-community/parse-server GHSA-wp76-gg32-8258
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 29, 2026 - 15:30 vuln.today
Patch released
Mar 29, 2026 - 15:30 nvd
Patch available
CVE Published
Mar 29, 2026 - 15:14 nvd
HIGH 8.2

DescriptionGitHub Advisory

Impact

The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection.

Patches

The verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints.

Workarounds

There is no known workaround.

AnalysisAI

Parse Server's verify password endpoint leaks MFA secrets and OAuth tokens to authenticated users, enabling multi-factor authentication bypass. Attackers who possess a valid user password can extract TOTP secrets and recovery codes from the unsanitized response, then generate valid MFA codes to defeat the second authentication factor. The vulnerability affects the npm package parse-server. No public exploit identified at time of analysis, though exploitation requires only password knowledge and standard API access.

Technical ContextAI

Parse Server is an open-source Node.js backend framework (npm package: parse-server) providing RESTful API services with built-in authentication. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) in the password verification endpoint. Unlike the login and user retrieval endpoints which properly sanitize authentication data through auth adapter hooks, the verify password endpoint returned raw authentication objects containing sensitive cryptographic material. This includes TOTP (Time-based One-Time Password) shared secrets used for MFA code generation, backup recovery codes for account access, and OAuth access tokens for third-party integrations. The root cause is inconsistent data sanitization across authentication endpoints-while the codebase had established patterns for stripping sensitive fields via auth adapter hooks in other authentication flows, this specific endpoint bypassed those protective mechanisms and exposed the complete authentication data structure.

RemediationAI

Apply vendor-released patches immediately by upgrading parse-server to the fixed version specified in the GitHub security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258. The patches implement proper authentication data sanitization through auth adapter hooks in the verify password endpoint, aligning it with the security controls already present in login and user retrieval endpoints. Two pull requests address this issue: PR #10323 and PR #10324, available at https://github.com/parse-community/parse-server/pull/10323 and https://github.com/parse-community/parse-server/pull/10324 respectively. Update the parse-server npm dependency in your package.json and redeploy. The vendor explicitly states there is no known workaround, making immediate patching the only effective remediation. Organizations unable to patch immediately should consider temporarily disabling the verify password endpoint through API gateway rules or implementing additional authentication logging to detect potential exploitation attempts.

Share

CVE-2026-34215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy