CVE-2026-34224
LOW
GHSA-w73w-g5xw-rwhf
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
### Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. ### Patches The fix adds optimistic locking to the authData login path, ensuring that concurrent database updates for the same user fail when the original MFA token array has already been modified by another request. ### Workarounds There is no known workaround.
Analysis
Parse Server allows attackers with a valid authentication provider token and a single MFA recovery code or SMS one-time password to create multiple concurrent authenticated sessions, bypassing the single-use guarantee of MFA recovery codes and defeating session revocation. The vulnerability exploits a race condition in the authData login endpoint where concurrent requests can reuse the same MFA token before database synchronization occurs, enabling persistent unauthorized access even after legitimate session revocation.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
During next maintenance window: Apply vendor patches when convenient. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today