Race Condition Vulnerability in Parse Server Affecting Multi-Factor Authentication
CVE-2026-43930

2.1LOW

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
12 May 2026

What is CVE-2026-43930?

A race condition in the multi-factor authentication (MFA) SMS one-time password (OTP) login mechanism in Parse Server allows multiple concurrent login requests with the same OTP to succeed. This flaw undermines the single-use property of OTPs, permitting an attacker, who has already gained access to the victim's password and intercepted an active SMS OTP, to execute simultaneous login attempts. Consequently, both attempts can generate valid session tokens, increasing the risk of unauthorized account access. The issue is addressed in versions 8.6.76 and 9.9.0-alpha.2 of Parse Server.

Affected Version(s)

parse-server >= 9.0.0, < 9.9.0-alpha.2 < 9.0.0, 9.9.0-alpha.2

parse-server < 8.6.76 < 8.6.76

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10448
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10449
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.