GHSA-wp76-gg32-8258
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wp76-gg32-8258
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wp76-gg32-8258/GHSA-wp76-gg32-8258.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wp76-gg32-8258
- Aliases
-
- CVE-2026-34215
- Published
- 2026-03-29T15:14:03Z
- Modified
- 2026-03-29T15:34:56.381362Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server exposes auth data via verify password endpoint
- Details
-
Impact
The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection.
Patches
The verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints.
Workarounds
There is no known workaround.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-200" ], "nvd_published_at": null, "github_reviewed_at": "2026-03-29T15:14:03Z", "severity": "HIGH" }- References
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server