CVE-2026-33627
Received Received - Intake
Authentication Bypass in Parse Server Exposes MFA Secrets

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-25
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33627
EUVD
EUVD-2026-14980
Affected Vendors & Products
Showing 56 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server to 8.6.61 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55. An authenticated user calling the GET /users/me endpoint receives unsanitized authentication data, including sensitive credentials such as MFA TOTP secrets and recovery codes.

The issue arises because the endpoint uses master-level authentication internally for the session query, causing the master context to leak into the user data. This bypasses the usual sanitization performed by the authentication adapter.

As a result, an attacker who obtains a user's session token can extract MFA secrets and generate valid TOTP codes indefinitely.

This vulnerability has been fixed in versions 8.6.61 and 9.6.0-alpha.55 of Parse Server.


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker with a user's session token to access sensitive multi-factor authentication (MFA) secrets, including TOTP secrets and recovery codes.

This means the attacker can generate valid TOTP codes indefinitely, effectively bypassing MFA protections and gaining unauthorized access to the user's account.

Such unauthorized access can lead to account compromise, data theft, and potential further exploitation within the affected infrastructure.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Parse Server to version 8.6.61 or later, or to version 9.6.0-alpha.55 or later, where the issue has been patched.

Additionally, ensure that only authenticated users with proper authorization can access the GET /users/me endpoint, and consider invalidating existing session tokens to prevent attackers from using leaked MFA secrets.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart