EUVD-2026-12991
GHSA-r3xq-68wh-gwvh
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
4Description
### Impact The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. ### Patches The password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. ### Workarounds There is no known workaround other than upgrading.
Analysis
The password reset mechanism in Parse Server fails to enforce single-use guarantees on reset tokens, allowing attackers to exploit a race condition during concurrent password reset requests. An attacker who intercepts a password reset token can submit a password change request that races against the legitimate user's own reset attempt, potentially causing the attacker's new password to take effect while the user believes their own password was successfully changed. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
During next maintenance window: Apply vendor patches when convenient. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today