CVE-2026-32943

EPSS 0.03%
Veröffentlicht 18.03.2026 21:46:17
Zuletzt bearbeitet 19.03.2026 16:55:36
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Starting in versions 9.6.0-alpha.28 and 8.6.48, the password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. There is no known workaround other than upgrading.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.48

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.6.0

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha11 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha12 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha13 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha14 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha15 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha16 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha17 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha18 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha19 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha20 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha21 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha22 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha23 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha24 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha25 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha26 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha27 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.6.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.07

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
security-advisories@github.com	2.3	0	0	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh

Vendor Advisory

https://github.com/parse-community/parse-server/pull/10216

Issue Tracking

https://github.com/parse-community/parse-server/pull/10217

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-32943

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32943

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32943

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32943