Vulnerability in Parse Server Affects User Data Access in Multi-Factor Authentication
CVE-2026-53725

5.9MEDIUM

Key Information:

Vendor
CVE Published:
12 June 2026

What is CVE-2026-53725?

The Parse Server, an open-source backend platform, suffers from a vulnerability that potentially exposes sensitive user information. In specific versions ranging from 9.8.0 to before 9.9.1-alpha.5, when Multi-Factor Authentication (MFA) is enabled and access to the _User class is restricted through Class-Level Permissions, sensitive data can be retrieved via the /login and /verifyPassword endpoints. During the process of re-fetching user data, if permission to access the _User data is denied, the server defaults to exposing raw database entries. This can result in the leakage of critical information such as MFA TOTP secrets and recovery codes. Particularly concerning is the /verifyPassword endpoint, which allows an attacker with the victim's username and password to bypass MFA entirely, gaining access to the victim's MFA secret. The issue has been addressed in version 9.9.1-alpha.5.

Affected Version(s)

parse-server >= 9.8.0, < 9.9.1-alpha.5

References

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.