Authentication Flaw in Parse Server Allows Multiple Uses of MFA Recovery Code
CVE-2026-33624

2.1LOW

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33624?

Parse Server, an open-source backend for Node.js applications, has a significant authentication vulnerability that allows an attacker to reuse a multi-factor authentication (MFA) recovery code multiple times. If an attacker acquires a user's password along with a single MFA recovery code, they can exploit this flaw by sending concurrent login requests, effectively bypassing the intended single-use feature of the recovery codes. This vulnerability demands a combination of the user's password and a valid recovery code, emphasizing the critical need for users to secure their passwords and MFA codes. The issue has been addressed in the latest versions, namely 8.6.60 and 9.6.0-alpha.54, which are designed to protect against this type of attack.

Affected Version(s)

parse-server < 8.6.60 < 8.6.60

parse-server >= 9.0.0, < 9.6.0-alpha.54 < 9.0.0, 9.6.0-alpha.54

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10275
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10276
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.