Parse Server is an open-source backend framework that runs on Node.js and is widely used for mobile and web applications. CVE-2026-33627 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting parse-server versions prior to 8.6.61 and versions from 9.0.0 up to but not including 9.6.0-alpha.55. The flaw arises in the GET /users/me endpoint, which returns user data. Internally, this endpoint uses master-level authentication to query session information, but this master context leaks into the user data response. Consequently, the sanitization normally applied by the authentication adapter is bypassed, causing sensitive authentication data to be exposed. Specifically, this includes multi-factor authentication (MFA) Time-based One-Time Password (TOTP) secrets and recovery codes. An attacker who has obtained a valid user session token can exploit this vulnerability to retrieve these secrets and generate valid TOTP codes indefinitely, effectively bypassing MFA protections. The vulnerability requires only a valid session token (privilege level: low) and no user interaction, making it relatively easy to exploit if session tokens are compromised. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond a session token, no user interaction, and high confidentiality impact. The vulnerability has been patched in parse-server versions 8.6.61 and 9.6.0-alpha.55. No public exploits have been reported yet, but the potential for abuse is significant given the exposure of MFA secrets.

This vulnerability poses a serious risk to organizations using affected versions of parse-server, especially those relying on MFA for securing user accounts. An attacker who compromises a user's session token can extract MFA secrets, allowing indefinite generation of valid TOTP codes and effectively bypassing multi-factor authentication. This undermines the integrity of user authentication and can lead to unauthorized access to sensitive systems and data. The exposure of recovery codes further increases the risk by enabling attackers to regain access even if MFA is reset. Organizations may face data breaches, account takeovers, and potential lateral movement within networks. The ease of exploitation (requiring only a session token) and the high confidentiality impact make this a critical concern for any service relying on parse-server for user authentication. The vulnerability also increases the risk of persistent unauthorized access, complicating incident response and remediation efforts.

The primary mitigation is to upgrade parse-server to version 8.6.61 or later, or 9.6.0-alpha.55 or later, where the vulnerability is patched. Organizations should also implement strict session token management practices, including short token lifetimes, token revocation mechanisms, and monitoring for unusual session activity to reduce the risk of token theft. Employing additional layers of security such as IP whitelisting, anomaly detection, and device fingerprinting can help detect and prevent unauthorized use of stolen tokens. Reviewing and restricting access to the GET /users/me endpoint and ensuring that sensitive fields are properly sanitized in custom implementations can reduce exposure. Regular security audits and penetration testing focused on authentication flows are recommended to detect similar issues. Finally, educating users on securing their session tokens and MFA credentials is important to reduce the risk of token compromise.