CVE-2026-34224

EPSS 0.31%
Veröffentlicht 31.03.2026 14:25:22
Zuletzt bearbeitet 02.04.2026 16:16:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 8

NVD 9 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.64

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.7.0

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha7 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.226

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.4	0.7	3.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	2.1	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.4	0.7	3.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf

Patch

Vendor Advisory

https://github.com/parse-community/parse-server/pull/10326

Patch

Issue Tracking

https://github.com/parse-community/parse-server/pull/10327

Patch

Issue Tracking

https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92

Patch

https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-34224

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34224

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34224

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34224