CVE-2026-53725
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
Parse Server versions from 9.8.0 to before 9.9.1-alpha.5 have a vulnerability that allows the exposure of sensitive user data through the /login and /verifyPassword endpoints when MFA is enabled and access to the _User class is denied. When access to user data is denied, the server falls back to raw database rows, potentially exposing sensitive information such as MFA secrets and recovery codes.
Risk Assessment
Organizations may be at risk of sensitive user data theft, leading to unauthorized account access and loss of customer trust. Attackers could easily bypass MFA mechanisms, increasing the risk of security breaches.
Recommendation
It is recommended to update Parse Server to version 9.9.1-alpha.5 or later to mitigate this vulnerability. Additionally, it is advisable to review and strengthen security policies regarding user data access.
Original NVD description (English source)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.

