Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.
Published: 2026-03-11
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: MFA By-pass
Action: Immediate Patch
AI Analysis

Impact

Prior to version 9.6.0-alpha.7 and 8.6.33, Parse Server generates two single-use recovery codes for users with Multi‑Factor Authentication (MFA) via TOTP. Because these codes are not consumed after use, an attacker who obtains any single recovery code can use it repeatedly to authenticate as the affected user, effectively bypassing the MFA protection. The vulnerability is rooted in CWE‑672 (Use of a resource that does not allow duplication of a required unique behaviour). It compromises the confidentiality and integrity of user accounts by allowing unlimited reuse of a recovery token intended to be one‑time.

Affected Systems

All instances of parse-server from the parse-community that are running any version earlier than 9.6.0-alpha.7 or 8.6.33 are affected. The vulnerability is present in the open source Parse Server and can be found in all CPE entries for parse-server up to those release points.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity impact. The EPSS score is reported as less than 1%, suggesting a low probability of immediate exploitation in the wild, and it is not listed in the CISA KEV catalog. However, once a recovery code is compromised, exploitation is trivial: an attacker can log in remotely using the code, as the attack vector is likely remote and requires only possession of the code. The impact is international, affecting any deployment where MFA relies on these recovery codes."

Generated by OpenCVE AI on March 17, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.6.0-alpha.7 or 8.6.33 (or a later stable release).
  • After upgrading, verify that recovery codes are consumed after first use by attempting a second login with the same code.
  • Monitor authentication logs for repeated use of recovery codes and consider rotating MFA tokens if anomalous activity is observed.

Generated by OpenCVE AI on March 17, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4hf6-3x24-c9m8 Parse Server's MFA recovery codes not consumed after use
History

Fri, 13 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 13 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.
Title Parse Server MFA recovery codes not consumed after use
Weaknesses CWE-672
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:06:19.822Z

Reserved: 2026-03-09T19:02:25.014Z

Link: CVE-2026-31875

cve-icon Vulnrichment

Updated: 2026-03-12T20:06:16.612Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:27.003

Modified: 2026-03-13T17:15:25.833

Link: CVE-2026-31875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:58Z

Weaknesses