Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.

INFO

Published Date :

2026-03-31T14:25:22.782Z

Last Modified :

2026-04-02T15:16:27.489Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34224 vulnerability.

Vendors Products
Parse Community
  • Parse Server
Parseplatform
  • Parse-server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34224.

URL Resource
https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92 cve-icon cve-icon
https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf cve-icon cve-icon
https://github.com/parse-community/parse-server/pull/10326 cve-icon cve-icon
https://github.com/parse-community/parse-server/pull/10327 cve-icon cve-icon
https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact