Back to CVE List

CVE-2026-33624

LOW SEVERITY

CVSS Score & Metrics

Base Score
2.7 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Vulnerability Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-367
Source
NVD
Vendor
parse-community
Product
parse-server

External References

Discussion (0)

Add Comment

No comments yet. Be the first!