CVE-2026-33627: Sensitive Information Disclosure via Master Key Context in Parse Server
Vulnerability ID: CVE-2026-33627
CVSS Score: 7.1
Published: 2026-03-24
Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55 suffer from an information disclosure vulnerability (CWE-200) in the /users/me endpoint. The server retrieves user objects using the Master Key context, bypassing security filters and exposing raw Multi-Factor Authentication (MFA) secrets and recovery codes to authenticated users.
TL;DR
Parse Server leaks raw MFA secrets (TOTP seeds, recovery codes) via the /users/me endpoint due to an over-privileged Master Key query. Updating to versions 8.6.61 or 9.6.0-alpha.55 mitigates the issue.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-200
- Attack Vector: Network
- CVSS Score: 7.1
- Impact: Confidentiality (High)
- Exploit Status: Proof of Concept
- Privileges Required: Low
Affected Systems
- Parse Server
-
Parse Server: < 8.6.61 (Fixed in:
8.6.61) -
Parse Server: >= 9.0.0, < 9.6.0-alpha.55 (Fixed in:
9.6.0-alpha.55)
Code Analysis
Commit: 5b8998e
Fix information disclosure in /users/me endpoint for Parse Server v8
Commit: 875cf10
Fix information disclosure in /users/me endpoint for Parse Server v9
Exploit Details
- GitHub: Official test case demonstrating the vulnerability (spec/vulnerabilities.spec.js)
Mitigation Strategies
- Upgrade Parse Server to a patched version (8.6.61 or 9.6.0-alpha.55).
- Temporarily disable MFA functionality if patching is not immediately feasible.
- Implement custom API middleware to intercept and sanitize responses from the
/users/meendpoint.
Remediation Steps:
- Verify the current running version of Parse Server.
- Update the
parse-serverdependency in yourpackage.jsonto 8.6.61 or 9.6.0-alpha.55. - Rebuild and redeploy the application.
- Audit existing accounts for suspicious MFA configuration changes or unauthorized logins.
References
- Parse Server Security Advisory (GHSA-37mj-c2wf-cx96)
- MITRE CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- MITRE ATT&CK: Unsecured Credentials (T1552)
- MITRE ATT&CK: Data from Local System (T1005)
Read the full report for CVE-2026-33627 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)