Multi-Factor Authentication Flaw in Parse Server Affects User Account Security
CVE-2026-31875

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
11 March 2026

What is CVE-2026-31875?

Parse Server, an open-source backend framework, has a vulnerability affecting its multi-factor authentication (MFA) implementation. The issue arises when TOTP is enabled for user accounts, as the server generates two single-use recovery codes intended for emergency access. However, these recovery codes are not marked as used after being deployed, allowing attackers to exploit them. If a malicious actor gains access to any one of these codes, they can authenticate as the user indefinitely, bypassing the intended security measures. This vulnerability undermines the effectiveness of MFA, potentially exposing user accounts to unauthorized access. The issue has been addressed in Parse Server versions 9.6.0-alpha.7 and 8.6.33.

Affected Version(s)

parse-server >= 9.0.0 < 9.6.0-alpha.7 < 9.0.0 9.6.0-alpha.7

parse-server < 8.6.33 < 8.6.33

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC
https://github.com/parse-community/parse-server/releases/...
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.