CVE-2026-43930

EPSS 0.24%
Veröffentlicht 12.05.2026 13:34:50
Zuletzt bearbeitet 26.05.2026 16:39:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server: MFA SMS one-time password accepted twice under concurrent login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.76

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.9.0

Parseplatform ≫ Parse-server Version9.9.0 Updatealpha1 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.143

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	2.1	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj

Vendor Advisory

Mitigation

https://github.com/parse-community/parse-server/pull/10448

Patch

Issue Tracking

https://github.com/parse-community/parse-server/pull/10449

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-43930

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43930

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43930

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-43930