Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Published: 2026-05-12
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server, prior to version 8.6.76 and 9.9.0-alpha.2, has a race condition in the MFA SMS one‑time password (OTP) login flow that allows two concurrent /login requests carrying the same OTP to both succeed, granting two valid session tokens and breaking the OTP’s single‑use guarantee. This flaw can be exploited by an attacker who already has the victim’s password and can intercept an active SMS OTP, such as through a SIM‑swap, network mirror, or phishing relay. The resulting impact is the ability to create multiple authenticated sessions from a single OTP.

Affected Systems

The affected product is Parse Server, an open‑source backend by parse-community. All releases before 8.6.76 and before 9.9.0-alpha.2 are vulnerable.

Risk and Exploitability

The CVSS score of 2.1 reflects low severity, and the EPSS score is not available, indicating no documented exploitation frequency. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to already possess the victim’s password and an intercepted OTP, and the race condition demands precise timing of two concurrent login attempts. Consequently, the likelihood of successful exploitation is low, though the potential impact would be the duplication of session tokens for a single OTP.

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Parse Server installation to version 8.6.76 or later, or to 9.9.0-alpha.2 or newer.
  • Configure the OTP service or application logic to reject a second use of the same OTP, ensuring that each OTP is consumed only once.
  • Audit and monitor login activity for duplicate OTP usage to detect any attempted exploitation.

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jpq4-7fmq-q5fj parse-server: MFA SMS one-time password accepted twice under concurrent login
History

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.9.0:alpha1:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Title Parse Server: MFA SMS one-time password accepted twice under concurrent login
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:27:47.599Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43930

cve-icon Vulnrichment

Updated: 2026-05-13T14:27:42.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T14:17:08.217

Modified: 2026-05-26T16:39:16.420

Link: CVE-2026-43930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:00:13Z

Weaknesses