IA Squad
SearchPT
js · parse-serverHeads-up

parse-server: MFA sensitive data exposure on login/verifyPassword when _User get is denied

When MFA is enabled and `get` on `_User` class is denied via CLP, the `/login` and `/verifyPassword` endpoints previously fell back to the raw database row on denied re-fetch, exposing sensitive data like authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields.

20 Jun 2026Read 1 minSeverity: schedule it

What changed

When MFA is enabled and `get` on `_User` class is denied via CLP, the `/login` and `/verifyPassword` endpoints previously fell back to the raw database row on denied re-fetch, exposing sensitive data like authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields. Now, on denied re-fetch, these endpoints return only the user's identity (plus session token for `/login`).

Who it affects

Parse Server instances with MFA enabled and `_User` `get` permission denied via Class-Level Permissions, running version 9.8.0 or later.

What to do today

Upgrade to a patched version of Parse Server to prevent exposure of sensitive user data.

The trail
Collected Audited Written Published
Source
GitHub Advisory · parse-server

More on parse-server

js · @openzeppelin/wizard

@openzeppelin/wizard: Arbitrary code injection via info.securityContact and info.license fields

js · typeorm

TypeORM Blind SQL Injection in UpdateQueryBuilder and SoftDeleteQueryBuilder (MySQL/MariaDB)