CVE-2026-34224
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 9.0.0, < 9.7.0-alpha.8 | 9.7.0-alpha.8 |
parse-servernpm | < 8.6.64 | 8.6.64 |
Affected products
10cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*+ 7 more
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
- cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*range: <8.6.64
- osv-coords2 versions
< 8.6.64+ 1 more
- (no CPE)range: < 8.6.64
- (no CPE)range: >= 9.0.0, < 9.7.0-alpha.8
Patches
Vulnerability mechanics
References
7- github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92nvdPatchWEB
- github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbfnvdPatchWEB
- github.com/parse-community/parse-server/pull/10326nvdIssue TrackingPatchWEB
- github.com/parse-community/parse-server/pull/10327nvdIssue TrackingPatchWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhfnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-w73w-g5xw-rwhfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34224ghsaADVISORY
News mentions
0No linked articles in our index yet.