Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Starting in versions 9.6.0-alpha.28 and 8.6.48, the password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. There is no known workaround other than upgrading.
Published: 2026-03-18
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via password reset token reuse
Action: Apply Patch
AI Analysis

Impact

Parse Server’s password reset mechanism did not enforce single-use guarantees for reset tokens in versions prior to 9.6.0-alpha.28 and 8.6.48. When a user requests a reset, the generated token can be consumed by multiple concurrent requests within a short window. An attacker who has obtained or intercepted the token can race the legitimate reset request, causing both to succeed. The user believes their password changed, while the attacker’s password takes effect, resulting in an account takeover. This weakness is identified as CWE‑367.

Affected Systems

All deployments of parse-community:parse-server that use the password reset feature and run a version older than 9.6.0-alpha.28 or 8.6.48 are affected. The vulnerability affects all Parse Server releases prior to these version milestones, regardless of minor or patch levels.

Risk and Exploitability

The CVSS score is 2.3, indicating low impact. EPSS is below 1% and the flaw is not listed in the CISA KEV catalog. While the risk is low, exploitation is possible over the network by an attacker who can observe or inject the reset token. The vulnerability can be exploited by sending a concurrent reset request before the valid token is invalidated, which is a race condition and requires proximity to the token. No additional conditions or privilege are needed beyond the ability to use the password reset endpoint.

Generated by OpenCVE AI on March 19, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.6.0-alpha.28 or later, or 8.6.48 or later, to enable atomic validation and single‑use consumption of reset tokens.
  • No known workaround exists; disabling the password reset feature is not recommended. Apply the upgrade as soon as possible to eliminate the vulnerability.

Generated by OpenCVE AI on March 19, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r3xq-68wh-gwvh Parse Server has a password reset token single-use bypass via concurrent requests
History

Thu, 19 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 18 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Starting in versions 9.6.0-alpha.28 and 8.6.48, the password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. There is no known workaround other than upgrading.
Title Parse Server has a password reset token single-use bypass via concurrent requests
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T15:49:23.486Z

Reserved: 2026-03-17T00:05:53.283Z

Link: CVE-2026-32943

cve-icon Vulnrichment

Updated: 2026-03-19T15:49:16.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T22:16:25.810

Modified: 2026-03-19T16:55:36.633

Link: CVE-2026-32943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:00Z

Weaknesses