CVE-2026-34215

HIGH EPSS 21.9%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
8.2 CVSS 4.0
High
Find Similar
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.

CVSS Details

Base Score
8.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
21.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 8

VendorProductVersionRange
parseplatformparse-server* <8.6.63
parseplatformparse-server*≥9.0.0  –  <9.7.0
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any

References 5

  • github.com https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10323
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10324
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258
    PatchVendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10323
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10324
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258
    PatchVendor Advisory