Description
When multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.33 >= 9.0.0-alpha.1, < 9.6.0-alpha.7** Patched version(s): **8.6.33 9.6.0-alpha.7**
References
Related Issues
- Parse Server: MFA recovery code single-use bypass via concurrent requests - CVE-2026-33624
- Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Parse Server LiveQuery subscription query depth bypass - CVE-2026-33508
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 11, 2026