CVE-2026-34224
LOW
2,1
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: high
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
367
Time-of-check Time-of-use (TOCTOU) Race Condition
IncompleteCommon Consequences
Security Scopes Affected:
Integrity
Other
Non-Repudiation
Potential Impacts:
Alter Execution Logic
Unexpected State
Modify Application Data
Modify Files Or Directories
Modify Memory
Other
Hide Activities
Applicable Platforms
All platforms may be affected
https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94…
https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6f…
https://github.com/parse-community/parse-server/pull/10326
https://github.com/parse-community/parse-server/pull/10327
https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g…