{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34224", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.033Z", "datePublished": "2026-03-31T14:25:22.782Z", "dateUpdated": "2026-04-02T15:16:27.489Z"}, "containers": {"cna": {"title": "Parse Server: MFA single-use token bypass via concurrent authData login requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf"}, {"name": "https://github.com/parse-community/parse-server/pull/10326", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10326"}, {"name": "https://github.com/parse-community/parse-server/pull/10327", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10327"}, {"name": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92"}, {"name": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.64", "status": "affected"}, {"version": ">= 9.0.0, < 9.7.0-alpha.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:25:22.782Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8."}], "source": {"advisory": "GHSA-w73w-g5xw-rwhf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:15:54.696601Z", "id": "CVE-2026-34224", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:16:27.489Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34224", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T15:15:54.696601Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:16:23.058Z"}}], "cna": {"title": "Parse Server: MFA single-use token bypass via concurrent authData login requests", "source": {"advisory": "GHSA-w73w-g5xw-rwhf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.64"}, {"status": "affected", "version": ">= 9.0.0, < 9.7.0-alpha.8"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/pull/10326", "name": "https://github.com/parse-community/parse-server/pull/10326", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/pull/10327", "name": "https://github.com/parse-community/parse-server/pull/10327", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "name": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "name": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:25:22.782Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34224", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:16:27.489Z", "dateReserved": "2026-03-26T16:22:29.033Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T14:25:22.782Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7C688FBB-87FE-4461-ABF0-CC850CAB2A5D", "versionEndExcluding": "8.6.64", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E3DFF698-B3EE-4DCA-BAF3-9BE52F0F77D7", "versionEndExcluding": "9.7.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3A140D3A-AECC-4CA1-958C-3CA53E313B27", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "BEDAEFBC-DA77-4998-BDD6-A139E15E5CC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "8C9E59AF-3B82-4D61-847B-A18E7DDF7A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "2AB743CC-D168-4313-A5AA-43CF76D178E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "C351C736-AB91-4985-A0B4-43B120F5E5C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "F02797C9-E67D-4BF4-BB56-8D6DA9178322", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "B059E381-D0F6-4425-92C0-167486379A98", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8."}], "id": "CVE-2026-34224", "lastModified": "2026-04-02T16:16:23.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:18.590", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10326"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10327"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.64)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.7.0-alpha.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-02T04:55:13.904949+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.64 or later, or 9.7.0-alpha.8 or later"], "summary": {"action": "Patch Now", "impact": "MFA bypass allowing multiple authenticated sessions"}, "threat_synthesis": {"affected_systems": "Parse Server, the open source backend from parse-community, is affected. Any deployment running a version earlier than 8.6.64 or earlier than 9.7.0-alpha.8 is vulnerable. The product runs in a Node.js environment.", "description_and_impact": "A flaw in Parse Server allows an attacker with a valid authentication provider token and a single MFA recovery or SMS one\u2011time password to send concurrent login requests via the authData endpoint. This bypasses the expected single\u2011use nature of the MFA token, enabling the creation of multiple active sessions. Consequently, an attacker can maintain authenticated access even after the legitimate user revokes detected sessions, undermining the integrity of MFA protection.", "risk_and_exploitability": "The vulnerability is rated as low severity and has a very low probability of exploitation. It is not listed in CISA's catalog of known exploited vulnerabilities, indicating no confirmed real\u2011world attacks to date. Exploitation requires the attacker to hold a valid provider token and a single MFA code and to issue several concurrent login requests. While the risk is modest, the impact on the MFA enforcement mechanism is notable."}}}}, "created": "2026-03-31T19:54:23.927674+00:00", "updated": "2026-04-02T07:53:17.387767+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}