Parse Server is an open-source backend framework that runs on Node.js and is widely used for mobile and web application backends. CVE-2026-34215 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) that affects the verify password endpoint in parse-server versions prior to 8.6.63 and between 9.0.0 and 9.7.0-alpha.7. This endpoint improperly returns unsanitized authentication data, including multi-factor authentication (MFA) Time-based One-Time Password (TOTP) secrets, recovery codes, and OAuth access tokens. The vulnerability allows an attacker who already knows a user's password to retrieve these sensitive secrets, enabling them to generate valid MFA codes and bypass the multi-factor authentication protection. The vulnerability does not require user interaction and can be exploited remotely over the network without additional privileges beyond password knowledge. The issue has been addressed in parse-server versions 8.6.63 and 9.7.0-alpha.7 by sanitizing the response data to exclude sensitive authentication secrets. The CVSS 4.0 score is 8.2 (high), reflecting the network attack vector, low attack complexity, no privileges required beyond password knowledge, no user interaction, and high impact on confidentiality. No known exploits are currently reported in the wild, but the potential for account compromise is significant given the exposure of MFA secrets.

The primary impact of this vulnerability is the compromise of multi-factor authentication, which is a critical security control for protecting user accounts. By exposing MFA TOTP secrets and recovery codes, attackers who have obtained user passwords can bypass MFA protections, leading to unauthorized access to user accounts and potentially sensitive data. This undermines the security posture of applications relying on parse-server for authentication and backend services. Organizations using affected versions risk account takeover, data breaches, and unauthorized access to protected resources. The exposure of OAuth access tokens further increases the risk by potentially allowing attackers to access third-party services or APIs linked via OAuth. The vulnerability affects confidentiality severely, with no direct impact on integrity or availability. The ease of exploitation (requiring only password knowledge) and the widespread use of parse-server in mobile and web applications globally amplify the threat's potential impact.

Organizations should immediately upgrade parse-server to version 8.6.63 or later, or 9.7.0-alpha.7 or later, where the vulnerability has been patched. Until upgrades are applied, restrict access to the verify password endpoint by implementing network-level controls such as IP whitelisting or VPN access to reduce exposure. Review and audit user accounts for suspicious activity, especially those with known password leaks. Encourage users to change passwords and reset MFA configurations to invalidate potentially compromised secrets. Implement additional monitoring and alerting on authentication endpoints to detect abnormal access patterns. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit this endpoint. Finally, educate developers and administrators on secure handling of authentication data to prevent similar issues in future releases.