CVE-2026-34215 Overview
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A sensitive data exposure vulnerability exists in the verify password endpoint, which returns unsanitized authentication data including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, effectively defeating multi-factor authentication protection.
Critical Impact
This vulnerability allows attackers with knowledge of a user's password to completely bypass MFA protections by extracting TOTP secrets and generating valid authentication codes.
Affected Products
- Parse Server versions prior to 8.6.63
- Parse Server versions 9.7.0-alpha1 through 9.7.0-alpha6
- Applications deployed on Node.js infrastructure using affected Parse Server versions
Discovery Timeline
- 2026-03-31 - CVE-2026-34215 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34215
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The verify password endpoint in Parse Server fails to properly sanitize authentication data before returning it in the response. When a user successfully authenticates via this endpoint, the server returns the complete user object including sensitive MFA configuration data such as TOTP secrets, recovery codes, and OAuth access tokens.
The attack requires knowledge of the target user's password, which may be obtained through credential stuffing, phishing, or other means. Once an attacker has the password and can access the verify password endpoint, they can extract the MFA secret and use it to generate valid TOTP codes, completely bypassing the additional security layer MFA is intended to provide.
Root Cause
The root cause lies in the handleVerifyPassword function within src/Routers/UsersRouter.js. While the function calls UsersRouter.removeHiddenProperties(user) to sanitize the user object, this sanitization was insufficient for authentication data. The authDataManager.runAfterFind() hook, which is responsible for properly filtering sensitive authentication data, was not being called before returning the response to the client.
Attack Vector
The vulnerability is exploitable over the network without user interaction. An attacker requires high-level privileges (knowledge of the target user's password) to exploit this vulnerability. The attack flow is:
- Attacker obtains target user's password through credential compromise
- Attacker sends a verify password request to the Parse Server endpoint
- Server returns unsanitized response containing MFA TOTP secrets
- Attacker uses extracted TOTP secret to generate valid MFA codes
- Attacker can now fully authenticate as the target user, bypassing MFA
// Security patch in src/Routers/UsersRouter.js
// Source: https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
handleVerifyPassword(req) {
return this._authenticateUserFromRequest(req)
- .then(user => {
+ .then(async user => {
// Remove hidden properties.
UsersRouter.removeHiddenProperties(user);
-
+ await req.config.authDataManager.runAfterFind(req, user.authData);
return { response: user };
})
.catch(error => {
Detection Methods for CVE-2026-34215
Indicators of Compromise
- Unusual volume of requests to the /verifyPassword endpoint from single IP addresses
- Multiple verify password requests for the same user account in short succession
- Successful MFA authentications from unexpected IP addresses or geolocations following verify password requests
- Authentication patterns showing password verification followed by immediate MFA bypass
Detection Strategies
- Monitor Parse Server access logs for patterns of repeated verify password endpoint access
- Implement rate limiting and anomaly detection on authentication endpoints
- Review application logs for large response payloads from the verify password endpoint that may indicate data leakage
- Deploy network-level inspection to identify responses containing sensitive authentication data patterns
Monitoring Recommendations
- Configure alerting for failed MFA attempts followed by successful authentication from different sources
- Implement user behavior analytics to detect account takeover patterns
- Monitor for OAuth token usage from unexpected clients or locations
- Establish baseline metrics for verify password endpoint usage and alert on deviations
How to Mitigate CVE-2026-34215
Immediate Actions Required
- Upgrade Parse Server to version 8.6.63 or later for stable releases
- Upgrade Parse Server to version 9.7.0-alpha.7 or later for alpha releases
- Review authentication logs for potential exploitation attempts
- Consider forcing MFA re-enrollment for high-value accounts if compromise is suspected
Patch Information
The vulnerability has been patched in Parse Server versions 8.6.63 and 9.7.0-alpha.7. The fix adds a call to authDataManager.runAfterFind() to properly sanitize authentication data before returning it to the client. Security patches are available via the following commits:
For additional details, refer to the GitHub Security Advisory GHSA-wp76-gg32-8258.
Workarounds
- If immediate patching is not possible, consider disabling or restricting access to the verify password endpoint
- Implement a reverse proxy or API gateway rule to filter sensitive fields from verify password responses
- Add additional authentication controls such as IP allowlisting for administrative accounts
- Deploy Web Application Firewall (WAF) rules to inspect and sanitize authentication endpoint responses
# Upgrade Parse Server to patched version
npm update parse-server@8.6.63
# Or for alpha channel
npm update parse-server@9.7.0-alpha.7
# Verify installed version
npm list parse-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
