{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34215", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-03-31T19:34:50.217Z", "dateUpdated": "2026-04-03T16:24:14.183Z"}, "containers": {"cna": {"title": "Parse Server: Auth data exposed via verify password endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258"}, {"name": "https://github.com/parse-community/parse-server/pull/10323", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10323"}, {"name": "https://github.com/parse-community/parse-server/pull/10324", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10324"}, {"name": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed"}, {"name": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.63", "status": "affected"}, {"version": ">= 9.0.0, < 9.7.0-alpha.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:42:11.539Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7."}], "source": {"advisory": "GHSA-wp76-gg32-8258", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:23:36.997941Z", "id": "CVE-2026-34215", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:24:14.183Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34215", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:23:36.997941Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:24:09.145Z"}}], "cna": {"title": "Parse Server: Auth data exposed via verify password endpoint", "source": {"advisory": "GHSA-wp76-gg32-8258", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.63"}, {"status": "affected", "version": ">= 9.0.0, < 9.7.0-alpha.7"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/pull/10323", "name": "https://github.com/parse-community/parse-server/pull/10323", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/pull/10324", "name": "https://github.com/parse-community/parse-server/pull/10324", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed", "name": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c", "name": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:42:11.539Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34215", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:24:14.183Z", "dateReserved": "2026-03-26T15:57:52.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T19:34:50.217Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "55425CF6-83BE-4F06-82F5-76EAFDCE6C5C", "versionEndExcluding": "8.6.63", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E3DFF698-B3EE-4DCA-BAF3-9BE52F0F77D7", "versionEndExcluding": "9.7.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3A140D3A-AECC-4CA1-958C-3CA53E313B27", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "BEDAEFBC-DA77-4998-BDD6-A139E15E5CC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "8C9E59AF-3B82-4D61-847B-A18E7DDF7A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "2AB743CC-D168-4313-A5AA-43CF76D178E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "C351C736-AB91-4985-A0B4-43B120F5E5C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "F02797C9-E67D-4BF4-BB56-8D6DA9178322", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7."}], "id": "CVE-2026-34215", "lastModified": "2026-04-03T17:16:43.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T20:16:29.013", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10323"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10324"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.63)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.7.0-alpha.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-02T04:54:41.435718+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.63 or later, or 9.7.0\u2011alpha.7 or later, to apply the patch.", "If an upgrade cannot be performed immediately, disable or restrict the verify password endpoint to prevent disclosure of sensitive authentication data."], "summary": {"action": "Immediate Patch", "impact": "Data exposure of authentication secrets"}, "threat_synthesis": {"affected_systems": "Parse Community\u2019s Parse Server, which runs on Node.js, is affected. All versions released before 8.6.63 and before 9.7.0\u2011alpha.7 contain the vulnerability. This includes every prior minor and release candidate build of Parse Server.", "description_and_impact": "The vulnerability lies within the verify password endpoint of Parse Server: when a user\u2019s credentials are validated, the endpoint returns unsanitized authentication data that includes MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who possesses a user\u2019s password can extract the MFA secret and generate valid one\u2011time codes, thereby bypassing multi\u2011factor authentication and gaining unauthorized access to the account.", "risk_and_exploitability": "The problem carries a high severity rating of 8.2, yet the estimated likelihood of exploitation is below 1%. It is not listed in the CISA KEV catalog. Attackers must first obtain a victim\u2019s password through phishing, credential stuffing, or other means. Once authenticated, they can retrieve the MFA secret and use it to produce valid MFA codes, effectively undermining the second factor and compromising the target account."}}}}, "created": "2026-04-02T07:53:05.278303+00:00", "updated": "2026-04-02T20:11:00.992591+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}