PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53725 parse-community CVE debrief

CVE-2026-53725 is a sensitive data exposure vulnerability in Parse Server, an open-source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability affects versions 9.8.0 to before 9.9.1-alpha.5. Apps that enable Multi-Factor Authentication (MFA) and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). The /verifyPassword endpoint is particularly severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor.

Vendor
parse-community
Product
parse-server
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Users of Parse Server versions 9.8.0 to before 9.9.1-alpha.5 who have enabled MFA and denied get on the _User class via Class-Level Permissions should be aware of this vulnerability. Specifically, applications that use the /login and /verifyPassword endpoints are at risk of exposing sensitive user data.

Technical summary

The vulnerability arises from the way Parse Server handles re-fetching user data through access-controlled query pipelines. When the re-fetch is denied due to _User get permission restrictions, the server reverts to using the raw database row. This exposes sensitive information such as authData, MFA TOTP secrets, recovery codes, and fields hidden by protectedFields if protectedFieldsOwnerExempt is set to false.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update to version 9.9.1-alpha.5 or later.
  • Review and adjust Class-Level Permissions for the _User class.
  • Ensure protectedFieldsOwnerExempt is set appropriately.
  • Monitor /login and /verifyPassword endpoints for suspicious activity.

Evidence notes

CVE-2026-53725 has a CVSS score of 5.9 and is considered MEDIUM severity. The vulnerability was published and modified on June 12, 2026.

Official resources

This CVE debrief is based on information from official sources and is intended for informational purposes only. It does not constitute an endorsement or recommendation.