CVE-2026-34215 | THREATINT

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.

PUBLISHED Reserved 2026-03-26 | Published 2026-03-31 | Updated 2026-04-03 | Assigner GitHub_M

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 8.6.63

affected

>= 9.0.0, < 9.7.0-alpha.7

affected

References

github.com/...server/security/advisories/GHSA-wp76-gg32-8258

github.com/parse-community/parse-server/pull/10323

github.com/parse-community/parse-server/pull/10324

github.com/...ommit/770be8647424d92f5425c41fa81065ffbbb171ed

github.com/...ommit/a1d4e7b12a12f16d3870dbee582a36765858e94c

cve.org (CVE-2026-34215)

nvd.nist.gov (CVE-2026-34215)

Download JSON