SpirityCVE

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Parse Community	Parse Server
Parseplatform	Parse-server

Configuration 1 [-]

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha43::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha44::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha45::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha46::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha47::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha48::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha49::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha50::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha51::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha52::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha53::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha54::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9::::node.js::*

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/managed-detection-response
https://www.spirityenterprise.com/virtual-ciso
https://www.spirityenterprise.com/mdr-for-endpoint
https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c
https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f
https://github.com/parse-community/parse-server/pull/10278
https://github.com/parse-community/parse-server/pull/10279
https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96

History

Wed, 25 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Parseplatform Parseplatform parse-server
CPEs		cpe:2.3:a:parseplatform:parse-server::::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha43::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha44::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha45::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha46::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha47::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha48::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha49::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha50::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha51::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha52::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha53::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha54::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9::::node.js::*
Vendors & Products		Parseplatform Parseplatform parse-server
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Wed, 25 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Parse Community Parse Community parse Server
Vendors & Products		Parse Community Parse Community parse Server

Tue, 24 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
Title		Parse Server: Auth data exposed via /users/me endpoint
Weaknesses		CWE-200
References		https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f https://github.com/parse-community/parse-server/pull/10278 https://github.com/parse-community/parse-server/pull/10279 https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-24T18:31:14.703Z

Updated: 2026-03-25T13:38:33.224Z

Reserved: 2026-03-23T14:24:11.617Z

Link: CVE-2026-33627

Vulnrichment

Updated: 2026-03-25T13:38:28.344Z

NVD

Status : Analyzed

Published: 2026-03-24T19:16:55.190

Modified: 2026-03-25T21:16:08.650

Link: CVE-2026-33627

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object