CVE-2026-34215
Information Disclosure in Parse Server Exposes MFA Secrets via Password Verification
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | From 9.0.0 (inc) to 9.7.0 (exc) |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | to 8.6.63 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34215 is a high-severity vulnerability in the parse-server npm package affecting versions before 8.6.63 and versions from 9.0.0 up to but not including 9.7.0-alpha.7.
The vulnerability occurs because the verify password endpoint returns unsanitized authentication data, including sensitive information such as Multi-Factor Authentication (MFA) Time-based One-Time Password (TOTP) secrets, recovery codes, and OAuth access tokens.
An attacker who already knows a user's password can exploit this flaw to extract the MFA secret, allowing them to generate valid MFA codes and bypass multi-factor authentication protections.
This issue has been fixed in versions 8.6.63 and 9.7.0-alpha.7 by sanitizing the authentication data returned by the verify password endpoint.
How can this vulnerability impact me? :
If an attacker knows your password, they can exploit this vulnerability to obtain sensitive authentication data such as MFA TOTP secrets, recovery codes, and OAuth access tokens.
This allows the attacker to generate valid MFA codes, effectively bypassing multi-factor authentication protections that are meant to secure your account.
The impact is a high exposure of sensitive authentication data, which compromises the confidentiality of your account and can lead to unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Parse Server to a patched version.
- Upgrade to version 8.6.63 or later if you are using the 8.x branch.
- Upgrade to version 9.7.0-alpha.7 or later if you are using the 9.x branch.
These versions sanitize the authentication data returned by the verify password endpoint, preventing exposure of MFA secrets, recovery codes, and OAuth access tokens.
No known workarounds exist, so upgrading is the recommended immediate action.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens, to an attacker who knows a user's password. Such exposure of sensitive information can lead to unauthorized access and compromise of user accounts.
Exposure of sensitive authentication data may negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and authentication information to ensure confidentiality and prevent unauthorized access.
By allowing attackers to bypass multi-factor authentication protections, this vulnerability undermines security controls that are often mandated by these regulations, potentially leading to violations of data protection requirements.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects specific versions of the parse-server npm package, where the verify password endpoint returns unsanitized sensitive authentication data. Detection involves identifying if your system is running a vulnerable version of parse-server (versions >= 9.0.0 and < 9.7.0-alpha.7, or versions below 8.6.63).
You can check the installed parse-server version by running the following command in your environment:
- npm list parse-server
To detect if the vulnerable verify password endpoint is being accessed or exploited, you can monitor network traffic or server logs for requests to the verify password endpoint and inspect responses for exposure of MFA TOTP secrets, recovery codes, or OAuth access tokens.
For example, using curl to test the verify password endpoint (replace URL and credentials accordingly):
- curl -X POST https://your-parse-server.com/verifyPassword -d '{"username":"user","password":"password"}' -H 'Content-Type: application/json'
Inspect the response for any sensitive authentication data that should not be present. If such data is returned, the server is vulnerable.