Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Published: 2026-05-12
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server, prior to version 8.6.76 and 9.9.0-alpha.2, has a race condition in the MFA SMS one‑time password (OTP) login flow that allows two concurrent /login requests carrying the same OTP to both succeed, granting two valid session tokens and breaking the OTP’s single‑use guarantee. This flaw can be exploited by an attacker who already has the victim’s password and can intercept an active SMS OTP, such as through a SIM‑swap, network mirror, or phishing relay. The resulting impact is the ability to create multiple authenticated sessions from a single OTP.

Affected Systems

The affected product is Parse Server, an open‑source backend by parse-community. All releases before 8.6.76 and before 9.9.0-alpha.2 are vulnerable.

Risk and Exploitability

The CVSS score of 2.1 reflects low severity, and the EPSS score is not available, indicating no documented exploitation frequency. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to already possess the victim’s password and an intercepted OTP, and the race condition demands precise timing of two concurrent login attempts. Consequently, the likelihood of successful exploitation is low, though the potential impact would be the duplication of session tokens for a single OTP.

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Parse Server installation to version 8.6.76 or later, or to 9.9.0-alpha.2 or newer.
  • Configure the OTP service or application logic to reject a second use of the same OTP, ensuring that each OTP is consumed only once.
  • Audit and monitor login activity for duplicate OTP usage to detect any attempted exploitation.

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jpq4-7fmq-q5fj parse-server: MFA SMS one-time password accepted twice under concurrent login
History

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Title Parse Server: MFA SMS one-time password accepted twice under concurrent login
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:34:50.567Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43930

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T14:17:08.217

Modified: 2026-05-12T14:17:08.217

Link: CVE-2026-43930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:00:13Z

Weaknesses