Multiple Authenticated Session Vulnerability in Parse Server by Parse Community
CVE-2026-34224

2.1LOW

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34224?

Parse Server has a vulnerability that allows an attacker, holding a valid authentication provider token along with a single MFA recovery code or SMS one-time password, to create multiple authenticated sessions through concurrent login attempts at the authData login endpoint. This behavior undermines the integrity of multi-factor authentication by enabling session persistence even when legitimate users revoke their sessions. The issue has been addressed in recent releases, specifically in versions 8.6.64 and 9.7.0-alpha.8, reinforcing the need for timely updates to maintain security.

Affected Version(s)

parse-server < 8.6.64 < 8.6.64

parse-server >= 9.0.0, < 9.7.0-alpha.8 < 9.0.0, 9.7.0-alpha.8

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10326
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10327
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.