CVE-2026-34224
Authentication Bypass in Parse Server via MFA Recovery Code Reuse
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | From 9.0.0 (inc) to 9.7.0 (exc) |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | 9.7.0 |
| parseplatform | parse-server | to 8.6.64 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34224 is a security vulnerability in Parse Server related to multi-factor authentication (MFA). It allows an attacker who has a valid authentication provider token and a single MFA recovery code or SMS one-time password to bypass the intended single-use restriction of these MFA tokens.
The vulnerability arises because multiple concurrent login requests using the same MFA recovery code or SMS one-time password can be processed simultaneously, enabling the attacker to create multiple authenticated sessions. This defeats the single-use guarantee of MFA tokens, allowing session persistence even after the legitimate user revokes detected sessions.
The root cause is a race condition where the system checks the MFA token state before use, but concurrent requests can modify the token array between the check and use, allowing multiple successful authentications with the same token.
The issue was fixed by implementing an optimistic locking mechanism during the login process that ensures only one concurrent request can consume a single-use MFA token, preventing reuse in concurrent scenarios.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker who has obtained a valid authentication token and a single MFA recovery code or SMS one-time password to create multiple authenticated sessions concurrently.
As a result, the attacker can maintain persistent access to your account or system even if you revoke sessions detected as unauthorized, effectively bypassing the protection that MFA is supposed to provide.
This unauthorized session persistence can lead to unauthorized actions being performed under your identity, potentially compromising the integrity of your data or services.
However, the vulnerability has a low severity rating (CVSS v4 base score 2.1) and requires high privileges and coordination of concurrent requests, limiting the ease of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves concurrent login requests using the same MFA recovery code or SMS one-time password via the authData login endpoint. Detection would involve monitoring for multiple simultaneous login attempts from the same authentication token or MFA recovery code.
Since the vulnerability exploits concurrent login requests, you can detect suspicious activity by analyzing logs for multiple concurrent or near-simultaneous login requests using the same MFA recovery code or SMS OTP.
Specific commands are not provided in the available resources, but general approaches include:
- Review Parse Server authentication logs for repeated or concurrent login attempts with identical MFA recovery codes or SMS OTPs.
- Use network monitoring tools to detect multiple simultaneous POST requests to the authData login endpoint from the same source or using the same authentication token.
- Implement custom logging or alerting in your Parse Server instance to flag multiple concurrent login attempts using the same MFA recovery code.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Parse Server to a patched version where this vulnerability is fixed.
- Upgrade to Parse Server version 8.6.64 or later, or 9.7.0-alpha.8 or later, where the fix has been applied.
The fix involves implementing optimistic locking on the authData login process to prevent concurrent reuse of MFA recovery codes or SMS OTPs, ensuring single-use tokens cannot be reused concurrently.
Until the upgrade is applied, consider monitoring and limiting concurrent login attempts using the same MFA recovery code or SMS OTP to reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with valid authentication tokens and a single MFA recovery code or SMS one-time password to create multiple authenticated sessions by bypassing the single-use restriction of MFA tokens. This undermines the security guarantees of multi-factor authentication, potentially leading to unauthorized persistent access even after legitimate session revocation.
Such unauthorized access and session persistence could negatively impact compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate strong access controls and protection of user data. The ability to bypass MFA protections may increase the risk of unauthorized data access or breaches, thereby affecting the confidentiality and integrity of protected information.
However, the vulnerability has a low severity rating (CVSS 2.1) and requires high privileges and coordination of concurrent requests, which may limit its practical impact. The issue has been patched in recent versions to restore the intended security guarantees of MFA.