Sensitive Data Exposure in Parse Server by Parse Community
CVE-2026-33627

7.1HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33627?

Parse Server, an open-source backend platform, has a vulnerability that allows authenticated users to access unsanitized authentication data through the endpoint GET /users/me. This exposure includes sensitive credentials such as Multi-Factor Authentication (MFA) TOTP secrets and recovery codes due to the improper handling of master-level authentication during session queries. Attackers with a user's session token can leak and exploit these secrets to produce valid TOTP codes indefinitely. This critical issue was addressed in the latest versions 8.6.61 and 9.6.0-alpha.55.

Affected Version(s)

parse-server < 8.6.61 < 8.6.61

parse-server >= 9.0.0, < 9.6.0-alpha.55 < 9.0.0, 9.6.0-alpha.55

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10278
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10279
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.