Authentication Data Exposure in Parse Server by Parse Community
CVE-2026-34215

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34215?

The vulnerability in Parse Server allows attackers to access unsanitized authentication data through the verify password endpoint. This exposure includes sensitive information such as MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker equipped with a user's password can exploit this to generate valid MFA codes, effectively circumventing multi-factor authentication protections. This critical issue has been addressed in the latest versions of Parse Server, urging users to update to versions 8.6.63 and 9.7.0-alpha.7 or later to secure their applications.

Affected Version(s)

parse-server < 8.6.63 < 8.6.63

parse-server >= 9.0.0, < 9.7.0-alpha.7 < 9.0.0, 9.7.0-alpha.7

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10323
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10324
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.