logo

Database

Sensitive information sent insecurely In parse-server

Description

Parse Server exposes auth data via /users/me endpoint

Impact

An authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely.

Patches

The /users/me endpoint now queries the session and user data separately, using the caller's authentication context for the user query so that all security layers apply correctly.

Workarounds

There is no known workaround.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-336272. NVD-2026-336273. OSV-2026-336274. GHSA-37mj-c2wf-cx965. GCVE-2026-33627

References

1. https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx962. https://github.com/parse-community/parse-server/pull/102783. https://github.com/parse-community/parse-server/pull/10279

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-J9WNM – Vulnerability | Fluid Attacks Database