CVE-2026-33627
Received Received - Intake
Authentication Bypass in Parse Server Exposes MFA Secrets

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33627
EUVD
EUVD-2026-14980
Affected Vendors & Products
Showing 56 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server to 8.6.61 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55. An authenticated user calling the GET /users/me endpoint receives unsanitized authentication data, including sensitive credentials such as MFA TOTP secrets and recovery codes.

The issue arises because the endpoint uses master-level authentication internally for the session query, causing the master context to leak into the user data. This bypasses the usual sanitization performed by the authentication adapter.

As a result, an attacker who obtains a user's session token can extract MFA secrets and generate valid TOTP codes indefinitely.

This vulnerability has been fixed in versions 8.6.61 and 9.6.0-alpha.55 of Parse Server.

Impact Analysis

If exploited, this vulnerability allows an attacker with a user's session token to access sensitive multi-factor authentication (MFA) secrets, including TOTP secrets and recovery codes.

This means the attacker can generate valid TOTP codes indefinitely, effectively bypassing MFA protections and gaining unauthorized access to the user's account.

Such unauthorized access can lead to account compromise, data theft, and potential further exploitation within the affected infrastructure.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 8.6.61 or later, or to version 9.6.0-alpha.55 or later, where the issue has been patched.

Additionally, ensure that only authenticated users with proper authorization can access the GET /users/me endpoint, and consider invalidating existing session tokens to prevent attackers from using leaked MFA secrets.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33627. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart