CVE-2026-33624

Received Received - Intake

Recovery Code Reuse Vulnerability in Parse Server MFA Authentication

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-24

Last Modified

2026-03-25

Generated

2026-06-16

AI Q&A

2026-03-24

EPSS Evaluated

2026-06-15

NVD

CVE-2026-33624

EUVD

EUVD-2026-14978

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	to 8.6.60 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-367	The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

Executive Summary

This vulnerability affects Parse Server versions prior to 8.6.60 and 9.6.0-alpha.54. An attacker who has obtained both a user's password and a single multi-factor authentication (MFA) recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This behavior defeats the intended single-use design of MFA recovery codes.

To exploit this vulnerability, the attacker must have the user's password, a valid recovery code, and the capability to send multiple login requests within milliseconds concurrently. The issue has been fixed in the specified patched versions.

Impact Analysis

The vulnerability allows an attacker who already has a user's password and one MFA recovery code to bypass the intended security mechanism that limits recovery code usage to a single time. By reusing the recovery code multiple times through concurrent login attempts, the attacker can repeatedly gain unauthorized access to the user's account.

This undermines the security provided by MFA recovery codes, potentially leading to unauthorized access, account compromise, and further exploitation depending on the privileges of the compromised account.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 8.6.60 or later, or to version 9.6.0-alpha.54 or later, where the issue has been patched.

Hi! I’m here to help you understand CVE-2026-33624. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-33624

Recovery Code Reuse Vulnerability in Parse Server MFA Authentication

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart