Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53725

CVE-2026-53725: Parse Server Information Disclosure Issue

CVE-2026-53725 is an information disclosure vulnerability in Parse Server that exposes sensitive MFA secrets and user data through login endpoints. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-53725 Overview

CVE-2026-53725 is an information disclosure vulnerability in Parse Server, an open source Node.js backend platform. The flaw affects versions from 9.8.0 up to but not including 9.9.1-alpha.5. Applications that enable Multi-Factor Authentication (MFA) and deny get on the _User class through Class-Level Permissions (CLP) expose sensitive user data through the /login and /verifyPassword endpoints. The server falls back to raw database rows when access-controlled re-fetches fail, leaking raw authData including MFA TOTP secrets and recovery codes. This issue is classified under [CWE-200] Information Exposure.

Critical Impact

An attacker who knows a victim's username and password can call /verifyPassword to retrieve the MFA TOTP secret and recovery codes, defeating the second authentication factor.

Affected Products

  • Parse Server version 9.8.0 and later
  • Parse Server versions before 9.9.1-alpha.5
  • Parse Server deployments with MFA enabled and _Userget denied via CLP

Discovery Timeline

  • 2026-06-12 - CVE-2026-53725 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-53725

Vulnerability Analysis

Parse Server's /login and /verifyPassword endpoints re-fetch the authenticated user through an access-controlled query pipeline before returning the response. This pipeline applies Class-Level Permissions, protectedFields filtering, and authentication adapter sanitizers that strip secrets such as TOTP seeds and recovery codes. When the re-fetch is denied by the _Userget permission, the server does not abort or sanitize the response. Instead, it falls back to the raw database row, returning unfiltered fields directly from storage.

The raw row contains the unsanitized authData object, which holds MFA TOTP secrets, recovery codes, and any fields normally hidden by protectedFields when protectedFieldsOwnerExempt is set to false. The /verifyPassword endpoint is the most severe attack surface because it requires only a username and password to invoke, with no session token or MFA challenge.

Root Cause

The root cause is an unsafe fallback path in the response assembly logic. The endpoints treat a permission denial on the post-authentication re-fetch as a signal to use cached raw data, rather than as a signal to sanitize or reject the response. This conflates access control failure with data unavailability, bypassing the sanitization stage that protects secret authentication material.

Attack Vector

An attacker who has obtained a victim's password through phishing, credential stuffing, or database breach sends a request to the /verifyPassword endpoint with the username and password. The server validates the credentials and attempts to re-fetch the user record. The denied _Userget CLP triggers the fallback path, and the server returns the raw authData containing the TOTP secret. The attacker uses the secret to generate valid MFA codes and complete authentication, fully bypassing the second factor.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-75v4-m273-5j49 for technical details.

Detection Methods for CVE-2026-53725

Indicators of Compromise

  • High volume of requests to /verifyPassword from a single client or IP, particularly without subsequent session establishment.
  • /login or /verifyPassword responses containing populated authData.mfa fields when CLP denies get on _User.
  • Successful MFA authentication from geographic locations or devices not previously associated with the user account.

Detection Strategies

  • Audit Parse Server response payloads in non-production environments to confirm whether /login and /verifyPassword return raw authData content under the deployed CLP configuration.
  • Review application logs for repeated /verifyPassword calls preceding successful MFA logins from new devices.
  • Correlate authentication events with downstream actions to identify accounts where MFA was bypassed without corresponding TOTP enrollment changes.

Monitoring Recommendations

  • Enable verbose request logging on /login and /verifyPassword endpoints and forward logs to a centralized SIEM.
  • Alert on response sizes from /verifyPassword that exceed the expected schema, which indicates extra fields are being returned.
  • Track MFA recovery code usage rates and flag accounts where recovery codes are consumed shortly after a password verification call.

How to Mitigate CVE-2026-53725

Immediate Actions Required

  • Upgrade Parse Server to version 9.9.1-alpha.5 or later as soon as feasible.
  • Rotate MFA TOTP secrets and regenerate recovery codes for all users on affected deployments, since existing secrets may have been disclosed.
  • Force password resets for any account showing anomalous /verifyPassword activity in logs.

Patch Information

The vulnerability is patched in Parse Server version 9.9.1-alpha.5. The fix is delivered through Parse Server Pull Request #10492 and documented in the GitHub Security Advisory GHSA-75v4-m273-5j49. The patch ensures that /login and /verifyPassword responses honor the sanitization pipeline regardless of CLP get results.

Workarounds

  • Grant get permission on the _User class via Class-Level Permissions so the access-controlled re-fetch succeeds and sanitizers run.
  • Set protectedFieldsOwnerExempt to true and define protectedFields to strip authData from responses where feasible.
  • Restrict network access to the /verifyPassword endpoint to trusted application backends only, blocking direct client invocation at the reverse proxy.
bash
# Upgrade Parse Server to the patched version
npm install parse-server@9.9.1-alpha.5

# Verify installed version
npm list parse-server

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.