Password Reset Token Race Condition in Parse Server by Parse Community
CVE-2026-32943

2.3LOW

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32943?

The Parse Server's password reset mechanism has a vulnerability that permits the reuse of reset tokens. Before version 9.6.0-alpha.28 and 8.6.48, the system allowed multiple concurrent password reset requests using the same token, leading to potential account compromise. An attacker who intercepts a reset token can exploit this flaw, potentially causing confusion for the legitimate user as both the attacker's and the user's requests could appear to execute successfully. The vulnerability is addressed in later releases where the reset token is atomically validated, preventing this misuse.

Affected Version(s)

parse-server >= 9.0.0, < 9.6.0-alpha.28 < 9.0.0, 9.6.0-alpha.28

parse-server < 8.6.48 < 8.6.48

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10216
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10217
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.