8.2
CVE-2026-34215
- EPSS 0.3%
- Veröffentlicht 31.03.2026 19:34:50
- Zuletzt bearbeitet 03.04.2026 17:16:43
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginParse Server: Auth data exposed via verify password endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.63
Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.7.0
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha1 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha2 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha3 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha4 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha5 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha6 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.217 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 8.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258
https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed
https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c
https://github.com/parse-community/parse-server/pull/10323
https://github.com/parse-community/parse-server/pull/10324