CVE-2026-53725
published 2026-06-12CVE-2026-53725: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5…
PriorityP334medium5.9CVSS 4.0
AVNACLATPPRHUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.25%
16.3th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 9.8.0 < 9.9.1-alpha.5 | 9.9.1-alpha.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
ghsa·2026-06-19
CVE-2026-53725 [MEDIUM] CWE-200 parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
### Impact
Apps that enable MFA and deny `get` on the `_User` class via Class-Level Permissions could expose sensitive user data through the `/login` and `/verifyPassword` endpoints.
These endpoints re-fetch the user through the access-controlled query pipeline (CLP, `protectedFields`, auth-adapter sanitizers) before responding. When that re-fetch was denied by the `_User` `get` permission, the server fell back to the raw database row, exposing raw `authData` (including MFA TOTP secrets and recovery codes) and fields hidden by `protectedFields` (when `protectedFieldsOwnerExempt` is `false`).
`/verifyPassword` is the most severe: with only a username and password (
VulDB
parse-community parse-server up to 9.9.1-alpha.4 Password Endpoint information disclosure (GHSA-75v4-m273-5j49)
vuldb·2026-06-12·CVSS 5.9
CVE-2026-53725 [MEDIUM] parse-community parse-server up to 9.9.1-alpha.4 Password Endpoint information disclosure (GHSA-75v4-m273-5j49)
A vulnerability labeled as problematic has been found in parse-community parse-server up to 9.9.1-alpha.4. Affected is an unknown function of the component Password Endpoint. Such manipulation leads to information disclosure.
This vulnerability is listed as CVE-2026-53725. The attack may be performed from remote. There is no available exploit.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published