CVE-2026-34215
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection.
Patches
The verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints.
Workarounds
There is no known workaround.
AnalysisAI
Parse Server's verify password endpoint leaks MFA secrets and OAuth tokens to authenticated users, enabling multi-factor authentication bypass. Attackers who possess a valid user password can extract TOTP secrets and recovery codes from the unsanitized response, then generate valid MFA codes to defeat the second authentication factor. The vulnerability affects the npm package parse-server. No public exploit identified at time of analysis, though exploitation requires only password knowledge and standard API access.
Technical ContextAI
Parse Server is an open-source Node.js backend framework (npm package: parse-server) providing RESTful API services with built-in authentication. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) in the password verification endpoint. Unlike the login and user retrieval endpoints which properly sanitize authentication data through auth adapter hooks, the verify password endpoint returned raw authentication objects containing sensitive cryptographic material. This includes TOTP (Time-based One-Time Password) shared secrets used for MFA code generation, backup recovery codes for account access, and OAuth access tokens for third-party integrations. The root cause is inconsistent data sanitization across authentication endpoints-while the codebase had established patterns for stripping sensitive fields via auth adapter hooks in other authentication flows, this specific endpoint bypassed those protective mechanisms and exposed the complete authentication data structure.
RemediationAI
Apply vendor-released patches immediately by upgrading parse-server to the fixed version specified in the GitHub security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258. The patches implement proper authentication data sanitization through auth adapter hooks in the verify password endpoint, aligning it with the security controls already present in login and user retrieval endpoints. Two pull requests address this issue: PR #10323 and PR #10324, available at https://github.com/parse-community/parse-server/pull/10323 and https://github.com/parse-community/parse-server/pull/10324 respectively. Update the parse-server npm dependency in your package.json and redeploy. The vendor explicitly states there is no known workaround, making immediate patching the only effective remediation. Organizations unable to patch immediately should consider temporarily disabling the verify password endpoint through API gateway rules or implementing additional authentication logging to detect potential exploitation attempts.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wp76-gg32-8258