CVE-2026-32943
Race Condition in Parse Server Password Reset Allows Account Takeover
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | to 8.6.48 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The only known mitigation for this vulnerability is to upgrade Parse Server to version 9.6.0-alpha.28 or later, or 8.6.48 or later.
These versions include a fix where the password reset token is atomically validated and consumed as part of the password update operation, preventing multiple concurrent uses of the same token.
There is no known workaround other than upgrading.
Can you explain this vulnerability to me?
This vulnerability affects the password reset mechanism in Parse Server versions prior to 9.6.0-alpha.28 and 8.6.48. The issue is that the reset tokens generated for password resets are not enforced as single-use, allowing multiple concurrent requests to consume the same token within a short time window.
An attacker who intercepts a password reset token can race against the legitimate user's reset request, causing both requests to succeed. This means the attacker can change the password instead of the legitimate user, while the legitimate user believes their password was successfully changed.
The vulnerability is fixed in versions 9.6.0-alpha.28 and 8.6.48 by atomically validating and consuming the reset token as part of the password update operation, ensuring only one request can use the token.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has intercepted a password reset token to take over a user's account by changing their password without authorization.
The legitimate user may be unaware that their account has been compromised because their password reset request appears to succeed.
This can lead to unauthorized access to user data and services protected by the compromised account.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know