CVE-2026-34224

LOW EPSS 22.8%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
2.1 CVSS 4.0
Low
Find Similar
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
22.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-367

Affected Products 9

VendorProductVersionRange
parseplatformparse-server* <8.6.64
parseplatformparse-server*≥9.0.0  –  <9.7.0
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any

References 5

  • github.com https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10326
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10327
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf
    PatchVendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10326
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10327
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf
    PatchVendor Advisory