Overview
CVE-2026-33627 describes a real-world vulnerability in Parse Server where an authenticated user calling GET /users/me can receive unsanitized authentication data, including highly sensitive credentials such as MFA TOTP secrets and recovery codes. The issue occurred because the endpoint relied on a master-level authentication context for the session query, and the master context leaked through to the user data, bypassing the normal sanitization performed by the auth adapter. An attacker with a valid session token could extract MFA secrets and generate valid TOTP codes indefinitely, effectively compromising multi-factor authentication. The vulnerability was patched in Parse Server versions 8.6.61 and 9.6.0-alpha.55, but the underlying class of issue-broken object property level authorization-remains a canonical risk in Node.js (Express) apps if endpoints return full objects without per-property access checks. In practice, this class of vulnerability manifests when a server returns a user or resource object without enforcing a strict allowlist of properties, enabling leakage of secrets, credentials, or internal metadata to clients.
Affected Versions
Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55 were affected; fixed in 8.6.61 and 9.6.0-alpha.55.
Code Fix Example
Node.js (Express) API Security Remediation
Vulnerable pattern (exposes sensitive fields):
const express = require('express');
const app = express();
const User = require('./models/User');
// Vulnerable endpoint: returns full user document including MFA secrets
app.get('/users/me', authenticate, async (req, res) => {
const user = await User.findById(req.user.id);
res.json(user);
});
// Fixed pattern: restrict fields via projection to a safe subset
app.get('/users/me', authenticate, async (req, res) => {
const user = await User.findById(req.user.id).select('id username email');
if (!user) return res.status(404).send();
res.json(user);
});