CVE-2026-34215
Parse Server exposes auth data via verify password endpoint
Description
### Impact The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. ### Patches The verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints. ### Workarounds There is no known workaround.
How to fix CVE-2026-34215
To remediate CVE-2026-34215, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.63 or later
- —upgrade to 9.7.0-alpha.7 or later
Is CVE-2026-34215 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 8.6.63, >= 9.0.0, < 9.7.0
- >= 9.0.0, < 9.7.0-alpha.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |