Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
Published: 2026-03-31
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: MFA bypass allowing multiple authenticated sessions
Action: Patch Now
AI Analysis

Impact

A flaw in Parse Server allows an attacker with a valid authentication provider token and a single MFA recovery or SMS one‑time password to send concurrent login requests via the authData endpoint. This bypasses the expected single‑use nature of the MFA token, enabling the creation of multiple active sessions. Consequently, an attacker can maintain authenticated access even after the legitimate user revokes detected sessions, undermining the integrity of MFA protection.

Affected Systems

Parse Server, the open source backend from parse-community, is affected. Any deployment running a version earlier than 8.6.64 or earlier than 9.7.0-alpha.8 is vulnerable. The product runs in a Node.js environment.

Risk and Exploitability

The vulnerability is rated as low severity and has a very low probability of exploitation. It is not listed in CISA's catalog of known exploited vulnerabilities, indicating no confirmed real‑world attacks to date. Exploitation requires the attacker to hold a valid provider token and a single MFA code and to issue several concurrent login requests. While the risk is modest, the impact on the MFA enforcement mechanism is notable.

Generated by OpenCVE AI on April 2, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.64 or later, or 9.7.0-alpha.8 or later

Generated by OpenCVE AI on April 2, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w73w-g5xw-rwhf Parse Server has an MFA single-use token bypass via concurrent authData login requests
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
Title Parse Server: MFA single-use token bypass via concurrent authData login requests
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:16:27.489Z

Reserved: 2026-03-26T16:22:29.033Z

Link: CVE-2026-34224

cve-icon Vulnrichment

Updated: 2026-04-02T15:16:23.058Z

cve-icon NVD

Status : Modified

Published: 2026-03-31T15:16:18.590

Modified: 2026-04-02T16:16:23.570

Link: CVE-2026-34224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:53:17Z

Weaknesses