CVE-2026-33627
UNKNOWN
NVD
CVSS Score
0
Severity
UNKNOWN
Published
Mar 24, 2026
Vendor
unknown
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
References
- https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c
- https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f
- https://github.com/parse-community/parse-server/pull/10278
- https://github.com/parse-community/parse-server/pull/10279
- https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96