Executive Summary

CVE-2026-34215 is a high-severity vulnerability in the parse-server npm package affecting versions before 8.6.63 and versions from 9.0.0 up to but not including 9.7.0-alpha.7.

The vulnerability occurs because the verify password endpoint returns unsanitized authentication data, including sensitive information such as Multi-Factor Authentication (MFA) Time-based One-Time Password (TOTP) secrets, recovery codes, and OAuth access tokens.

An attacker who already knows a user's password can exploit this flaw to extract the MFA secret, allowing them to generate valid MFA codes and bypass multi-factor authentication protections.

This issue has been fixed in versions 8.6.63 and 9.7.0-alpha.7 by sanitizing the authentication data returned by the verify password endpoint.

Useful 0 Not Useful 0

Impact Analysis

If an attacker knows your password, they can exploit this vulnerability to obtain sensitive authentication data such as MFA TOTP secrets, recovery codes, and OAuth access tokens.

This allows the attacker to generate valid MFA codes, effectively bypassing multi-factor authentication protections that are meant to secure your account.

The impact is a high exposure of sensitive authentication data, which compromises the confidentiality of your account and can lead to unauthorized access.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server to a patched version.

• Upgrade to version 8.6.63 or later if you are using the 8.x branch.
• Upgrade to version 9.7.0-alpha.7 or later if you are using the 9.x branch.

These versions sanitize the authentication data returned by the verify password endpoint, preventing exposure of MFA secrets, recovery codes, and OAuth access tokens.

No known workarounds exist, so upgrading is the recommended immediate action.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes sensitive authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens, to an attacker who knows a user's password. Such exposure of sensitive information can lead to unauthorized access and compromise of user accounts.

Exposure of sensitive authentication data may negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and authentication information to ensure confidentiality and prevent unauthorized access.

By allowing attackers to bypass multi-factor authentication protections, this vulnerability undermines security controls that are often mandated by these regulations, potentially leading to violations of data protection requirements.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects specific versions of the parse-server npm package, where the verify password endpoint returns unsanitized sensitive authentication data. Detection involves identifying if your system is running a vulnerable version of parse-server (versions >= 9.0.0 and < 9.7.0-alpha.7, or versions below 8.6.63).

You can check the installed parse-server version by running the following command in your environment:

• npm list parse-server

To detect if the vulnerable verify password endpoint is being accessed or exploited, you can monitor network traffic or server logs for requests to the verify password endpoint and inspect responses for exposure of MFA TOTP secrets, recovery codes, or OAuth access tokens.

For example, using curl to test the verify password endpoint (replace URL and credentials accordingly):

• curl -X POST https://your-parse-server.com/verifyPassword -d '{"username":"user","password":"password"}' -H 'Content-Type: application/json'

Inspect the response for any sensitive authentication data that should not be present. If such data is returned, the server is vulnerable.

Useful 0 Not Useful 0