Skip to main content

CVE-2026-34224

LOW
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-03-29 https://github.com/parse-community/parse-server GHSA-w73w-g5xw-rwhf
2.1
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 29, 2026 - 15:30 vuln.today
Patch released
Mar 29, 2026 - 15:30 nvd
Patch available
CVE Published
Mar 29, 2026 - 15:23 nvd
LOW 2.1

DescriptionGitHub Advisory

Impact

An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions.

Patches

The fix adds optimistic locking to the authData login path, ensuring that concurrent database updates for the same user fail when the original MFA token array has already been modified by another request.

Workarounds

There is no known workaround.

AnalysisAI

Parse Server allows attackers with a valid authentication provider token and a single MFA recovery code or SMS one-time password to create multiple concurrent authenticated sessions, bypassing the single-use guarantee of MFA recovery codes and defeating session revocation. The vulnerability exploits a race condition in the authData login endpoint where concurrent requests can reuse the same MFA token before database synchronization occurs, enabling persistent unauthorized access even after legitimate session revocation.

Technical ContextAI

Parse Server's authentication system implements MFA recovery codes and SMS one-time passwords as single-use tokens intended to prevent replay attacks and unauthorized session establishment. The vulnerability exists in the authData login endpoint, which processes concurrent login requests without proper synchronization mechanisms. The root cause (CWE-367: Time-of-check to time-of-use race condition) stems from insufficient locking during database operations: when multiple concurrent requests validate and consume an MFA token, the application checks for token validity and updates the token array without atomic guarantees, allowing a second request to pass validation checks before the first request's database update is committed. Parse Server is a Node.js backend framework (pkg:npm/parse-server) that provides BaaS (backend-as-a-service) capabilities, and this vulnerability affects its core authentication layer.

RemediationAI

Vendor-released patch available via merged pull requests: apply patches from GitHub PR #10326 and #10327 to Parse Server, which implement optimistic locking in the authData login path to ensure atomic database updates for MFA token arrays. Update Parse Server to a patched version that incorporates these changes. No workaround is available, making immediate patching essential. Review the security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf for version-specific guidance and affected release information.

Share

CVE-2026-34224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy