CVE-2026-34224
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions.
Patches
The fix adds optimistic locking to the authData login path, ensuring that concurrent database updates for the same user fail when the original MFA token array has already been modified by another request.
Workarounds
There is no known workaround.
AnalysisAI
Parse Server allows attackers with a valid authentication provider token and a single MFA recovery code or SMS one-time password to create multiple concurrent authenticated sessions, bypassing the single-use guarantee of MFA recovery codes and defeating session revocation. The vulnerability exploits a race condition in the authData login endpoint where concurrent requests can reuse the same MFA token before database synchronization occurs, enabling persistent unauthorized access even after legitimate session revocation.
Technical ContextAI
Parse Server's authentication system implements MFA recovery codes and SMS one-time passwords as single-use tokens intended to prevent replay attacks and unauthorized session establishment. The vulnerability exists in the authData login endpoint, which processes concurrent login requests without proper synchronization mechanisms. The root cause (CWE-367: Time-of-check to time-of-use race condition) stems from insufficient locking during database operations: when multiple concurrent requests validate and consume an MFA token, the application checks for token validity and updates the token array without atomic guarantees, allowing a second request to pass validation checks before the first request's database update is committed. Parse Server is a Node.js backend framework (pkg:npm/parse-server) that provides BaaS (backend-as-a-service) capabilities, and this vulnerability affects its core authentication layer.
RemediationAI
Vendor-released patch available via merged pull requests: apply patches from GitHub PR #10326 and #10327 to Parse Server, which implement optimistic locking in the authData login path to ensure atomic database updates for MFA token arrays. Update Parse Server to a patched version that incorporates these changes. No workaround is available, making immediate patching essential. Review the security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf for version-specific guidance and affected release information.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w73w-g5xw-rwhf