{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33624", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.617Z", "datePublished": "2026-03-24T18:28:52.114Z", "dateUpdated": "2026-03-25T14:28:24.585Z"}, "containers": {"cna": {"title": "Parse Server: MFA recovery code single-use bypass via concurrent requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp"}, {"name": "https://github.com/parse-community/parse-server/pull/10275", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10275"}, {"name": "https://github.com/parse-community/parse-server/pull/10276", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10276"}, {"name": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff"}, {"name": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 8.6.60", "status": "affected"}, {"version": ">= 9.0.0, < 9.6.0-alpha.54", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:28:52.114Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54."}], "source": {"advisory": "GHSA-2299-ghjr-6vjp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:58:24.106962Z", "id": "CVE-2026-33624", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:28:24.585Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33624", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:58:24.106962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:58:29.662Z"}}], "cna": {"title": "Parse Server: MFA recovery code single-use bypass via concurrent requests", "source": {"advisory": "GHSA-2299-ghjr-6vjp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 8.6.60"}, {"status": "affected", "version": ">= 9.0.0, < 9.6.0-alpha.54"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/pull/10275", "name": "https://github.com/parse-community/parse-server/pull/10275", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/pull/10276", "name": "https://github.com/parse-community/parse-server/pull/10276", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff", "name": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "name": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:28:52.114Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33624", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:28:24.585Z", "dateReserved": "2026-03-23T14:24:11.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T18:28:52.114Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D3CEFBCC-B847-4BA5-A893-E6736D31A255", "versionEndExcluding": "8.6.60", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A", "versionEndExcluding": "9.6.0", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*", "matchCriteriaId": "B84C28F8-AADE-41BB-A0EF-B701AB57DC3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*", "matchCriteriaId": "7567BB81-7837-4265-B792-6A9B73CECF93", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*", "matchCriteriaId": "0035C6F1-21B9-42D1-BE29-690905F3558C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*", "matchCriteriaId": "623FB30A-0693-4449-80FA-16D36B1BE66C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*", "matchCriteriaId": "9B420167-CD3E-45A7-AD9A-0F83AEC634BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*", "matchCriteriaId": "030A8626-DBBD-4BF2-B362-79B44FB1204D", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*", "matchCriteriaId": "D38CFCC3-2AA9-4C8E-9064-FE97E6E8C45C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*", "matchCriteriaId": "65BB78F2-3A1A-4CD1-B8A8-4AB043B5CA50", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "EDC98AF7-8620-4A25-9BE5-623672599677", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*", "matchCriteriaId": "23E28E0F-9379-4628-B9DC-8C94A45902CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*", "matchCriteriaId": "6631BE51-74FB-40C0-9E91-0EDF2DCADD7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*", "matchCriteriaId": "8B0E4254-14A3-4EB6-9E98-CF45EB08B17F", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*", "matchCriteriaId": "0FF63FDE-75F5-44B6-A958-CF653D84D3B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*", "matchCriteriaId": "252B812D-A162-41C1-91CD-08D0CBAC5C46", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*", "matchCriteriaId": "421691EA-F55A-4738-8ABD-74B53B6DF155", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*", "matchCriteriaId": "5E7FAB59-142E-4191-9A6F-0744D810CD81", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*", "matchCriteriaId": "B010F310-05A1-48AE-B002-8F4C7FA62EB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*", "matchCriteriaId": "4D3B2C32-16D8-415B-A49F-060ECE8F0F33", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*", "matchCriteriaId": "43BE83C2-C756-4A5A-A340-B7D1FB52078D", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "DF340605-8CC8-4543-9F5D-E8602D258CED", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*", "matchCriteriaId": "702EBB22-3E9F-4CBE-B855-2E3642C530B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*", "matchCriteriaId": "7C17AD66-684F-4662-AF16-838FF05F47D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*", "matchCriteriaId": "13C25963-CAE7-49AA-A941-254DCE289E35", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*", "matchCriteriaId": "B6BF0C2F-DD2B-4864-961F-CA808EF22633", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*", "matchCriteriaId": "8FBB21E9-CB73-4CB1-841A-D1C08167DB51", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*", "matchCriteriaId": "4CD55F0B-D854-43D4-A0F5-F83386DB24C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*", "matchCriteriaId": "1097E8DF-3D0E-47C6-882D-E37B22119538", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*", "matchCriteriaId": "8C60F121-1C0B-4EB5-87EF-F1BED070C13B", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*", "matchCriteriaId": "04D8514D-CC66-4E6B-90C8-6108F0DAA661", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*", "matchCriteriaId": "4BB65A73-7BB7-42E4-97A3-4D6305172E05", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "A052DFCA-EDCC-43D7-82C7-E5311F6F7687", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*", "matchCriteriaId": "192A78FB-E141-4F14-8C4A-20A4118B01C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41:*:*:*:node.js:*:*", "matchCriteriaId": "CA4FEA42-4240-42B1-A5C2-6F74CBBACB92", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42:*:*:*:node.js:*:*", "matchCriteriaId": "7192B894-2616-4852-850B-39CF6FCAC4F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha43:*:*:*:node.js:*:*", "matchCriteriaId": "3323535E-C323-4FD9-81E9-8F7A045EDD59", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha44:*:*:*:node.js:*:*", "matchCriteriaId": "20A0CF2D-C8C0-4972-8F2B-02B67C171CA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha45:*:*:*:node.js:*:*", "matchCriteriaId": "EDC9ECE2-303E-429F-8E1B-EC6C6C575642", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha46:*:*:*:node.js:*:*", "matchCriteriaId": "A8914A97-5BCA-44ED-8767-1C4B5029CA2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha47:*:*:*:node.js:*:*", "matchCriteriaId": "D1BA3306-9F5B-4F9D-B472-D04E9018667E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha48:*:*:*:node.js:*:*", "matchCriteriaId": "3CE968D2-0024-45CD-B458-06D13F598875", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha49:*:*:*:node.js:*:*", "matchCriteriaId": "7FF06066-8433-46B4-A935-66FC2EFA4F2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "12B11714-B961-4330-B241-FC5AF94FDBE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha50:*:*:*:node.js:*:*", "matchCriteriaId": "47A519A3-6E15-4758-871A-CA5CB2ECBD75", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha51:*:*:*:node.js:*:*", "matchCriteriaId": "85FEA7B3-1B31-45C7-89B4-2502DA305BAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha52:*:*:*:node.js:*:*", "matchCriteriaId": "281762AD-E26D-4F3C-BBF2-DCB8E0109D7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha53:*:*:*:node.js:*:*", "matchCriteriaId": "FE9A1AE6-8C16-4B92-AEED-9CAFC9DC99CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "37A7C42B-4986-4BB6-BB27-0324A9AA1CFF", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "C793834B-64B4-4DE9-BD7D-79B52C30C34E", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "7AD455C8-88BE-4A0A-B33D-3A7811FFB753", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "26C475A2-997C-4C3A-8CB6-04AB3534BBC3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.60 y 9.6.0-alpha.54, un atacante que obtiene la contrase\u00f1a de un usuario y un \u00fanico c\u00f3digo de recuperaci\u00f3n MFA puede reutilizar ese c\u00f3digo de recuperaci\u00f3n un n\u00famero ilimitado de veces enviando solicitudes de inicio de sesi\u00f3n concurrentes. Esto anula el dise\u00f1o de un solo uso de los c\u00f3digos de recuperaci\u00f3n. El ataque requiere la contrase\u00f1a del usuario, un c\u00f3digo de recuperaci\u00f3n v\u00e1lido y la capacidad de enviar solicitudes concurrentes en cuesti\u00f3n de milisegundos. Este problema ha sido parcheado en las versiones 8.6.60 y 9.6.0-alpha.54."}], "id": "CVE-2026-33624", "lastModified": "2026-03-25T21:17:05.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T19:16:55.023", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/parse-community/parse-server/pull/10275"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/parse-community/parse-server/pull/10276"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.6.0-alpha.54)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-03-25T22:49:18.765252+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 8.6.60, 9.6.0\u2011alpha.54, or later to remove the race condition.", "If an immediate upgrade is not possible, apply rate limiting or throttling to the authentication endpoint to reduce the likelihood of concurrent requests.", "Verify the deployed Parse Server version by querying the version endpoint or reviewing deployment metadata to confirm that the patched version is in use.", "Monitor authentication logs for repeated login attempts using the same recovery code, which may indicate exploitation attempts.", "Keep Parse Server and its dependencies up\u2011to\u2011date as part of an ongoing patch management process."], "summary": {"action": "Apply Patch", "impact": "MFA recovery code reuse bypass"}, "threat_synthesis": {"affected_systems": "Instances of Parse Server running any version prior to 8.6.60 or 9.6.0\u2011alpha.54 are affected. The product is the open\u2011source Parse Server backend for Node.js, maintained by the parse\u2011community community. Vulnerable versions include all releases before the mentioned points, as identified by the provided CPE list.", "description_and_impact": "A race condition in Parse Server allows an attacker who knows a user\u2019s password and a single valid MFA recovery code to reuse that code an unlimited number of times by sending concurrent login requests. The flaw undermines the intended single\u2011use nature of MFA recovery codes, effectively enabling repeated authentication attempts with the same code and weakening the overall multi\u2011factor protection. The vulnerability is a concurrency issue described by CWE\u2011367.", "risk_and_exploitability": "The CVSS score of 2.1 indicates low severity, and EPSS is under 1%, suggesting limited reported exploitation. However, exploitation requires the attacker to possess a valid user password, a recovery code, and the ability to issue concurrent requests within milliseconds. When those conditions are met, the attacker can reuse the recovery code indefinitely, bypassing MFA benefits. The vulnerability is not listed in the CISA KEV catalog, but patching remains the primary defense."}}}}, "created": "2026-03-25T11:46:36.243440+00:00", "updated": "2026-03-26T12:18:54.892888+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}