{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34224", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.033Z", "datePublished": "2026-03-31T14:25:22.782Z", "dateUpdated": "2026-03-31T14:25:22.782Z"}, "containers": {"cna": {"title": "Parse Server: MFA single-use token bypass via concurrent authData login requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf"}, {"name": "https://github.com/parse-community/parse-server/pull/10326", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10326"}, {"name": "https://github.com/parse-community/parse-server/pull/10327", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10327"}, {"name": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92"}, {"name": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.64", "status": "affected"}, {"version": ">= 9.0.0, < 9.7.0-alpha.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:25:22.782Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8."}], "source": {"advisory": "GHSA-w73w-g5xw-rwhf", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7C688FBB-87FE-4461-ABF0-CC850CAB2A5D", "versionEndExcluding": "8.6.64", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E3DFF698-B3EE-4DCA-BAF3-9BE52F0F77D7", "versionEndExcluding": "9.7.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3A140D3A-AECC-4CA1-958C-3CA53E313B27", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "BEDAEFBC-DA77-4998-BDD6-A139E15E5CC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "8C9E59AF-3B82-4D61-847B-A18E7DDF7A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "2AB743CC-D168-4313-A5AA-43CF76D178E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "C351C736-AB91-4985-A0B4-43B120F5E5C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "F02797C9-E67D-4BF4-BB56-8D6DA9178322", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "B059E381-D0F6-4425-92C0-167486379A98", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8."}], "id": "CVE-2026-34224", "lastModified": "2026-04-01T18:16:00.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:18.590", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10326"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10327"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.64)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.7.0-alpha.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-03-31T16:51:45.896226+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.64 or newer, or 9.7.0\u2011alpha.8.", "Verify that the deployment now runs a patched version by checking the build tag or running npm list.", "If an upgrade is not immediately possible, restrict concurrent authentication requests by implementing rate limiting or application\u2011level controls until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "MFA Bypass"}, "threat_synthesis": {"affected_systems": "Deployments of Parse Server from the parse\u2011community project that are running any version older than 8.6.64 or 9.7.0\u2011alpha.8 are vulnerable. All installations of those unpatched binaries are at risk, regardless of the underlying infrastructure.", "description_and_impact": "The vulnerability is a concurrency race condition (CWE\u2011367) that allows an attacker who already holds a valid authentication provider token and a single MFA recovery code or SMS one\u2011time password to create multiple authenticated sessions. By sending simultaneous requests to the Parse Server authData login endpoint, the single\u2011use protection of the recovery code or OTP is bypassed. The result is that an attacker can keep a session alive even after the legitimate user revokes or terminates it, effectively defeating the intended MFA safeguard and allowing continued access to the user\u2019s account.", "risk_and_exploitability": "The CVSS score of 2.1 indicates low overall severity, and the vulnerability is not listed in CISA's KEV catalog. Exploitation does not require elevated privileges beyond possessing a valid authentication provider token and an MFA code. An attacker can trigger the race condition from any remote location by issuing concurrent login requests to the authData endpoint. The ability to maintain multiple sessions after a legitimate revocation means the attack can persist over time, but the lack of privilege escalation limits the potential impact to the compromised user\u2019s sessions only."}}}}, "created": "2026-03-31T19:54:23.927674+00:00", "updated": "2026-03-31T20:38:19.383029+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}