CVE-2026-34215

CVSS v4.0

8.2

High

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Impact

The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection.

Patches

The verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints.

Workarounds

There is no known workaround.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2026-34215

GHSA-WP76-GG32-8258

Affected Products

Parse Server

CVE-2026-34215

Impact

Patches

Workarounds

Weakness Enumeration

Related Identifiers

Affected Products

References · 5