{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/parse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Parse Server"],"_cs_severities":["high"],"_cs_tags":["parse-server","credential-access","mfa-bypass"],"_cs_type":"advisory","_cs_vendors":["Parse"],"content_html":"\u003cp\u003eParse Server, an open-source backend framework, contains a vulnerability in versions before 8.6.61 and versions 9.0.0 up to 9.6.0-alpha.55. The \u003ccode\u003e/users/me\u003c/code\u003e endpoint inadvertently exposes sensitive authentication data, including MFA TOTP secrets and recovery codes. An authenticated user possessing a valid session token can exploit this flaw. The root cause lies in the endpoint's use of master-level authentication for the session query, causing the master context to leak into user data and bypass security sanitization. This vulnerability, disclosed on March 24, 2026, as GHSA-37mj-c2wf-cx96, can lead to unauthorized access and account compromise. Defenders should prioritize patching vulnerable Parse Server instances to prevent potential credential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Parse Server instance running a vulnerable version (below 8.6.61 or between 9.0.0 and 9.6.0-alpha.55).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains valid user credentials through standard means (e.g., registration, password reset, or credential stuffing).\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates to the Parse Server and receives a valid session token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003eGET\u003c/code\u003e request to the \u003ccode\u003e/users/me\u003c/code\u003e endpoint, including the valid session token in the request headers.\u003c/li\u003e\n\u003cli\u003eThe Parse Server processes the request, using master-level authentication for the initial session query.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed sanitization, the response includes the targeted user's sensitive MFA TOTP secret and recovery codes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted TOTP secret to generate valid, time-based MFA codes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the generated MFA codes, or the recovery codes, to bypass MFA and gain full access to the user's account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass multi-factor authentication controls and gain unauthorized access to user accounts. The number of affected Parse Server instances is unknown. Impacted organizations could experience account takeovers, data breaches, and reputational damage. The severity is high due to the ease of exploitation (requires only a valid session token) and the direct exposure of MFA secrets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Parse Server instances to a patched version (8.6.61 or later, or 9.6.0-alpha.55 or later) to remediate CVE-2026-33627.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Access to Users Me Endpoint\u0026quot; to monitor access patterns to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for web server requests to capture requests to the \u003ccode\u003e/users/me\u003c/code\u003e endpoint to facilitate investigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-parse-server-auth-leak/","summary":"Parse Server versions before 8.6.61 and versions 9.0.0 to 9.6.0-alpha.55 expose sensitive MFA credentials via the `/users/me` endpoint, allowing authenticated users to extract TOTP secrets and recovery codes.","title":"Parse Server /users/me Endpoint Exposes MFA Secrets","url":"https://feed.craftedsignal.io/briefs/2024-01-30-parse-server-auth-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Parse Server"],"_cs_severities":["high"],"_cs_tags":["sql-injection","privilege-escalation","parse-server"],"_cs_type":"advisory","_cs_vendors":["Parse"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in the PostgreSQL adapter of Parse Server versions prior to 8.6.59 and between 9.0.0 and 9.6.0-alpha.53. This flaw enables an attacker who has already gained master key access to the Parse Server instance to inject arbitrary SQL commands. The vulnerability stems from insufficient validation of field names used within the aggregate \u003ccode\u003e$group\u003c/code\u003e pipeline stage or the \u003ccode\u003edistinct\u003c/code\u003e operation. By injecting SQL metacharacters into these field names, an attacker can bypass intended restrictions and execute unauthorized database operations. This vulnerability specifically affects Parse Server deployments using PostgreSQL and does not impact those utilizing MongoDB. Successful exploitation leads to privilege escalation, granting the attacker PostgreSQL database-level access, potentially compromising sensitive data and system integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains master key access to the Parse Server application, potentially through credential compromise or vulnerability exploitation in another part of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request targeting either the aggregate \u003ccode\u003e$group\u003c/code\u003e pipeline stage or the \u003ccode\u003edistinct\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe crafted API request includes SQL metacharacters embedded within the field name parameters of the \u003ccode\u003e$group._id\u003c/code\u003e object or the \u003ccode\u003edistinct\u003c/code\u003e dot-notation parameters.\u003c/li\u003e\n\u003cli\u003eParse Server receives the request and, due to insufficient validation, passes the tainted field names to the PostgreSQL storage adapter.\u003c/li\u003e\n\u003cli\u003eThe PostgreSQL storage adapter uses the tainted field names in a \u003ccode\u003e:raw\u003c/code\u003e interpolation when constructing the SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL metacharacters are interpreted by the PostgreSQL database, altering the intended query logic.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary SQL commands, such as creating new users with elevated privileges or dumping sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully escalates privileges from Parse Server application-level administrator to PostgreSQL database-level access, allowing for full control of the database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows an attacker to escalate privileges from a Parse Server administrator to a PostgreSQL database administrator. This could lead to the complete compromise of the database, including unauthorized access to sensitive data, modification of existing data, and denial of service. The vulnerability affects Parse Server deployments using PostgreSQL, potentially impacting any organization using vulnerable versions. Given the nature of Parse Server as a backend for mobile and web applications, a successful attack could expose user data and application logic, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Parse Server to version 8.6.59 or greater, or version 9.6.0-alpha.53 or greater, to patch CVE-2026-33539.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the server side to sanitize field names before they are passed to the PostgreSQL adapter. While a full fix should be deployed, this provides defense in depth.\u003c/li\u003e\n\u003cli\u003eMonitor PostgreSQL logs for suspicious queries that contain unexpected SQL metacharacters in field names. Adapt the provided Sigma rule \u003ccode\u003eDetect Suspicious Parse Server PostgreSQL Queries\u003c/code\u003e to your logging environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-parse-server-sqli/","summary":"A SQL injection vulnerability in Parse Server's PostgreSQL adapter allows an attacker with master key access to execute arbitrary SQL statements via crafted field names in aggregate `$group` or `distinct` operations, leading to privilege escalation.","title":"Parse Server PostgreSQL Adapter SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-parse-server-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Parse","version":"https://jsonfeed.org/version/1.1"}