Parse Server has an MFA single-use token bypass via concurrent authData login requests

Description

An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.64

  >= 9.0.0, < 9.7.0-alpha.8**

• Patched version(s): **8.6.64

  9.7.0-alpha.8**

References

• GHSA-w73w-g5xw-rwhf
• CVE-2026-34224
• CWE-367
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
• Parse Server: MFA recovery code single-use bypass via concurrent requests - CVE-2026-33624
• Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498

You might also like:

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

parse-server