CVE-2026-53725
Received Received - Intake
Information Disclosure in Parse Server

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-53725
EUVD
EUVD-2026-36540
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
parse_server parse_server to 9.9.1-alpha.5 (exc)
parse_community parse_server to 9.9.1-alpha.5 (exc)
parse_community parse_server 9.9.1-alpha.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53725 is a security vulnerability in Parse Server versions 9.8.0 to before 9.9.1-alpha.5. It occurs when apps enable multi-factor authentication (MFA) and deny get access on the _User class via Class-Level Permissions (CLP). The /login and /verifyPassword endpoints normally re-fetch user data through access-controlled queries, but if that re-fetch is denied, the server falls back to returning the raw database user record. This fallback exposes sensitive information such as MFA TOTP secrets, recovery codes, and fields hidden by protectedFields.

The /verifyPassword endpoint is especially severe because an attacker who knows a victim's username and password (without needing a session or MFA token) can retrieve the victim's MFA secrets and recovery codes, effectively bypassing the second factor of authentication.

This issue was fixed in version 9.9.1-alpha.5 by changing the behavior so that when a re-fetch is denied, only the user's identity (and session token for /login) is returned, preventing exposure of sensitive data.

Impact Analysis

This vulnerability can lead to unauthorized exposure of sensitive user data, including MFA secrets and recovery codes, which are critical for securing user accounts.

An attacker who knows a user's username and password could exploit this flaw to bypass multi-factor authentication, gaining full access to the victim's account without needing the second authentication factor.

This undermines the security guarantees of MFA, increasing the risk of account compromise, data theft, and unauthorized actions within applications using vulnerable Parse Server versions.

Detection Guidance

This vulnerability involves the exposure of sensitive MFA secrets and protected fields through the /login and /verifyPassword endpoints when Class-Level Permissions deny access to the _User class. Detection involves monitoring or testing these endpoints for unauthorized data exposure.

You can attempt to detect the vulnerability by making requests to the /login and /verifyPassword endpoints with valid usernames and passwords but without valid sessions or MFA tokens, especially when MFA and CLP are enabled. If the response includes raw authData such as MFA TOTP secrets or recovery codes, the system is vulnerable.

  • Use curl or similar tools to test the /verifyPassword endpoint with known credentials and inspect the response for sensitive MFA data.
  • Example command: curl -X POST https://your-parse-server.com/verifyPassword -H 'Content-Type: application/json' -d '{"username":"knownUser","password":"knownPassword"}'
  • Check if the response contains MFA secrets or recovery codes, which should not be exposed.
Mitigation Strategies

The primary and recommended mitigation is to upgrade Parse Server to version 9.9.1-alpha.5 or later, where the vulnerability has been patched.

In the patched version, the /login and /verifyPassword endpoints no longer fall back to returning raw database rows when access is denied, instead returning only the user's identity or session token, preventing exposure of sensitive MFA secrets and protected fields.

There are no effective workarounds that preserve the intended _User get restrictions while preventing this data exposure.

  • Upgrade Parse Server to version 9.9.1-alpha.5 or later as soon as possible.
  • Review and verify Class-Level Permissions and MFA settings to ensure they are correctly configured.
Compliance Impact

This vulnerability exposes sensitive user data, including MFA TOTP secrets and recovery codes, as well as fields hidden by protectedFields, to unauthorized actors. Such exposure of sensitive authentication data can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and authentication information against unauthorized access.

By allowing attackers to bypass multi-factor authentication and access sensitive user information, the vulnerability undermines security controls that are often mandated by these standards to protect user privacy and data integrity.

Therefore, affected deployments that do not apply the patch may be non-compliant with these regulations until the vulnerability is remediated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart