CVE-2026-33624

EUVD-2026-14978

24.03.2026, 19:16

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.7 LOW	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse-server	𝑥 < 8.6.60
parseplatform	parse-server	9.0.0 ≤ 𝑥 < 9.6.0
parseplatform	parse-server	9.6.0:alpha1
parseplatform	parse-server	9.6.0:alpha10
parseplatform	parse-server	9.6.0:alpha11
parseplatform	parse-server	9.6.0:alpha12
parseplatform	parse-server	9.6.0:alpha13
parseplatform	parse-server	9.6.0:alpha14
parseplatform	parse-server	9.6.0:alpha15
parseplatform	parse-server	9.6.0:alpha16
parseplatform	parse-server	9.6.0:alpha17
parseplatform	parse-server	9.6.0:alpha18
parseplatform	parse-server	9.6.0:alpha19
parseplatform	parse-server	9.6.0:alpha2
parseplatform	parse-server	9.6.0:alpha20
parseplatform	parse-server	9.6.0:alpha21
parseplatform	parse-server	9.6.0:alpha22
parseplatform	parse-server	9.6.0:alpha23
parseplatform	parse-server	9.6.0:alpha24
parseplatform	parse-server	9.6.0:alpha25
parseplatform	parse-server	9.6.0:alpha26
parseplatform	parse-server	9.6.0:alpha27
parseplatform	parse-server	9.6.0:alpha28
parseplatform	parse-server	9.6.0:alpha29
parseplatform	parse-server	9.6.0:alpha3
parseplatform	parse-server	9.6.0:alpha30
parseplatform	parse-server	9.6.0:alpha31
parseplatform	parse-server	9.6.0:alpha32
parseplatform	parse-server	9.6.0:alpha33
parseplatform	parse-server	9.6.0:alpha34
parseplatform	parse-server	9.6.0:alpha35
parseplatform	parse-server	9.6.0:alpha36
parseplatform	parse-server	9.6.0:alpha37
parseplatform	parse-server	9.6.0:alpha38
parseplatform	parse-server	9.6.0:alpha39
parseplatform	parse-server	9.6.0:alpha4
parseplatform	parse-server	9.6.0:alpha40
parseplatform	parse-server	9.6.0:alpha41
parseplatform	parse-server	9.6.0:alpha42
parseplatform	parse-server	9.6.0:alpha43
parseplatform	parse-server	9.6.0:alpha44
parseplatform	parse-server	9.6.0:alpha45
parseplatform	parse-server	9.6.0:alpha46
parseplatform	parse-server	9.6.0:alpha47
parseplatform	parse-server	9.6.0:alpha48
parseplatform	parse-server	9.6.0:alpha49
parseplatform	parse-server	9.6.0:alpha5
parseplatform	parse-server	9.6.0:alpha50
parseplatform	parse-server	9.6.0:alpha51
parseplatform	parse-server	9.6.0:alpha52
parseplatform	parse-server	9.6.0:alpha53
parseplatform	parse-server	9.6.0:alpha6
parseplatform	parse-server	9.6.0:alpha7
parseplatform	parse-server	9.6.0:alpha8
parseplatform	parse-server	9.6.0:alpha9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff

https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c

https://github.com/parse-community/parse-server/pull/10275

https://github.com/parse-community/parse-server/pull/10276

https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp