Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.61 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb62Patch
- https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c5Patch
- https://github.com/parse-community/parse-server/pull/10278Issue Tracking
- https://github.com/parse-community/parse-server/pull/10279Issue Tracking
- https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2Vendor Advisory
FAQ
What is CVE-2026-33627?
CVE-2026-33627 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receive...
How severe is CVE-2026-33627?
CVE-2026-33627 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33627?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.