Vulnerability in Parse Server Affects User Data Access in Multi-Factor Authentication
CVE-2026-53725
What is CVE-2026-53725?
The Parse Server, an open-source backend platform, suffers from a vulnerability that potentially exposes sensitive user information. In specific versions ranging from 9.8.0 to before 9.9.1-alpha.5, when Multi-Factor Authentication (MFA) is enabled and access to the _User class is restricted through Class-Level Permissions, sensitive data can be retrieved via the /login and /verifyPassword endpoints. During the process of re-fetching user data, if permission to access the _User data is denied, the server defaults to exposing raw database entries. This can result in the leakage of critical information such as MFA TOTP secrets and recovery codes. Particularly concerning is the /verifyPassword endpoint, which allows an attacker with the victim's username and password to bypass MFA entirely, gaining access to the victim's MFA secret. The issue has been addressed in version 9.9.1-alpha.5.
Affected Version(s)
parse-server >= 9.8.0, < 9.9.1-alpha.5
