CVE-2026-53725

CVE-2026-53725 is a medium-severity security vulnerability in parse-server (npm), affecting versions >= 9.8.0, < 9.9.1-alpha.5. It is fixed in 9.9.1-alpha.5.

Summary

Workarounds

None that preserve the intended _User get restriction. Upgrade to a patched version.

Impact

Apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints.

These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false).

/verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor.

Only Parse Server 9.8.0 and later are affected; 8.x and earlier are not. Master and maintenance key requests are unaffected, as they bypass these controls by design.

Affected versions

parse-server (>= 9.8.0, < 9.9.1-alpha.5)

Security releases

parse-server → 9.9.1-alpha.5 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

On a denied re-fetch, /login and /verifyPassword no longer fall back to the raw row; they return only the user's identity (plus the session token for /login). Master and maintenance key callers still receive the full record.

Frequently Asked Questions

  1. What is CVE-2026-53725? CVE-2026-53725 is a medium-severity security vulnerability in parse-server (npm), affecting versions >= 9.8.0, < 9.9.1-alpha.5. It is fixed in 9.9.1-alpha.5.
  2. Which versions of parse-server are affected by CVE-2026-53725? parse-server (npm) versions >= 9.8.0, < 9.9.1-alpha.5 is affected.
  3. Is there a fix for CVE-2026-53725? Yes. CVE-2026-53725 is fixed in 9.9.1-alpha.5. Upgrade to this version or later.
  4. Is CVE-2026-53725 exploitable, and should I be worried? Whether CVE-2026-53725 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-53725 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-53725? Upgrade parse-server to 9.9.1-alpha.5 or later.

Other vulnerabilities in parse-server

CVE-2026-55778CVE-2026-53726CVE-2026-53725CVE-2026-53724CVE-2026-50008

Stop the waste.
Protect your environment with Kodem.