Parse Server /users/me Endpoint Exposes MFA Secrets
Parse Server versions before 8.6.61 and versions 9.0.0 to 9.6.0-alpha.55 expose sensitive MFA credentials via the `/users/me` endpoint, allowing authenticated users to extract TOTP secrets and recovery codes.
Parse Server, an open-source backend framework, contains a vulnerability in versions before 8.6.61 and versions 9.0.0 up to 9.6.0-alpha.55. The /users/me endpoint inadvertently exposes sensitive authentication data, including MFA TOTP secrets and recovery codes. An authenticated user possessing a valid session token can exploit this flaw. The root cause lies in the endpoint's use of master-level authentication for the session query, causing the master context to leak into user data and bypass security sanitization. This vulnerability, disclosed on March 24, 2026, as GHSA-37mj-c2wf-cx96, can lead to unauthorized access and account compromise. Defenders should prioritize patching vulnerable Parse Server instances to prevent potential credential compromise.
Attack Chain
- An attacker identifies a Parse Server instance running a vulnerable version (below 8.6.61 or between 9.0.0 and 9.6.0-alpha.55).
- The attacker obtains valid user credentials through standard means (e.g., registration, password reset, or credential stuffing).
- The attacker successfully authenticates to the Parse Server and receives a valid session token.
- The attacker crafts a
GETrequest to the/users/meendpoint, including the valid session token in the request headers. - The Parse Server processes the request, using master-level authentication for the initial session query.
- Due to the bypassed sanitization, the response includes the targeted user's sensitive MFA TOTP secret and recovery codes.
- The attacker uses the extracted TOTP secret to generate valid, time-based MFA codes.
- The attacker uses the generated MFA codes, or the recovery codes, to bypass MFA and gain full access to the user's account.
Impact
Successful exploitation of this vulnerability allows attackers to bypass multi-factor authentication controls and gain unauthorized access to user accounts. The number of affected Parse Server instances is unknown. Impacted organizations could experience account takeovers, data breaches, and reputational damage. The severity is high due to the ease of exploitation (requires only a valid session token) and the direct exposure of MFA secrets.
Recommendation
- Upgrade Parse Server instances to a patched version (8.6.61 or later, or 9.6.0-alpha.55 or later) to remediate CVE-2026-33627.
- Deploy the Sigma rule "Detect Access to Users Me Endpoint" to monitor access patterns to the vulnerable endpoint.
- Enable detailed logging for web server requests to capture requests to the
/users/meendpoint to facilitate investigations.
Detection coverage 2
Detect Access to Users Me Endpoint
mediumDetects requests to the /users/me endpoint in Parse Server, which is vulnerable to MFA secret exposure.
Detect Multiple Failed Logins Followed by /users/me Access
highDetects a pattern of multiple failed login attempts followed by a successful request to the /users/me endpoint, potentially indicating an attacker attempting to harvest MFA secrets after gaining initial access.
Detection queries are available on the platform. Get full rules →