DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53725: CVE-2026-53725: Sensitive Information Disclosure via MFA Re-fetch Bypass in Parse Server

#security #cve #cybersecurity

CVE-2026-53725: Sensitive Information Disclosure via MFA Re-fetch Bypass in Parse Server

Vulnerability ID: CVE-2026-53725
CVSS Score: 5.9
Published: 2026-06-19

CVE-2026-53725 is a critical sensitive information disclosure vulnerability in Parse Server (versions 9.8.0 to < 9.9.1-alpha.5). When Multi-Factor Authentication (MFA) is enabled and standard read permissions on the _User class are restricted via Class-Level Permissions (CLPs), the /login and /verifyPassword endpoints improperly fall back to returning the raw database row upon a failed mock re-fetch request. This behavior leaks plaintext MFA TOTP secrets, recovery codes, and fields designated as protected, enabling attackers with compromised user passwords to bypass multi-factor authentication controls entirely.

TL;DR

Parse Server improperly falls back to returning raw, unsanitized database rows containing plaintext MFA TOTP secrets and recovery codes when user re-fetch queries are blocked by restricted Class-Level Permissions, allowing attackers with primary credentials to bypass second-factor controls.

Technical Details

  • CWE ID: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 5.9 (Medium)
  • EPSS Score: 0.00251 (Percentile: 16.20%)
  • Impact: Full multi-factor authentication bypass and sensitive profile information leak
  • Exploit Status: None (No public exploit code or active exploitation reported)
  • KEV Status: Not listed in CISA KEV catalog

Affected Systems

  • Parse Server
  • parse-server: >= 9.8.0, < 9.9.1-alpha.5 (Fixed in: 9.9.1-alpha.5)

Code Analysis

Commit: d3a3603

Fix _User CLP refetch fallback leaks raw MFA secrets and protected fields

Mitigation Strategies

  • Upgrade Parse Server to a non-vulnerable version immediately.
  • Ensure Class-Level Permissions do not cause unexpected exceptions during internal authentication mock re-fetches.
  • Monitor response payload schemas for high-risk attributes like 'authData.mfa.secret' at the API gateway layer.

Remediation Steps:

  1. Update parse-server in package.json to version 9.9.1-alpha.5 or higher.
  2. Redeploy the application service containers.
  3. Review user Class-Level Permissions (CLPs) to confirm that standard authenticated sessions perform expected mock query actions.
  4. Audit existing user authentication logs for anomalous calls to /verifyPassword.

References

Read the full report for CVE-2026-53725 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)