Parse Server exposes auth data via /users/me endpoint
GHSA-37mj-c2wf-cx96 · BIT-parse-2026-33627 · CVE-2026-33627
Published · Modified
Description
Impact
An authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely.
Patches
The /users/me endpoint now queries the session and user data separately, using the caller's authentication context for the user query so that all security layers apply correctly.
Workarounds
There is no known workaround.
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33627
- WEB https://github.com/parse-community/parse-server/pull/10278
- WEB https://github.com/parse-community/parse-server/pull/10279
- WEB https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c
- WEB https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes