parse-server: MFA SMS one-time password accepted twice under concurrent login
- Severity:
- Low
Description
A race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim’s password and intercept the active SMS OTP (e.g.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.76 >= 9.0.0, < 9.9.0-alpha.2** Patched version(s): **8.6.76 9.9.0-alpha.2**
References
Related Issues
- Parse Server has an MFA single-use token bypass via concurrent authData login requests - CVE-2026-34224
- Parse Server: MFA recovery code single-use bypass via concurrent requests - CVE-2026-33624
- Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on May 13, 2026