parse-community parse-server up to 8.6.63/9.7.0-alpha.7 authData Login Endpoint toctou

Summaryinfo

A vulnerability was found in parse-community parse-server up to 8.6.63/9.7.0-alpha.7. It has been rated as problematic. This affects an unknown function of the component authData Login Endpoint. Performing a manipulation results in toctou. This vulnerability is reported as CVE-2026-34224. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in parse-community parse-server up to 8.6.63/9.7.0-alpha.7. It has been classified as problematic. This affects an unknown function of the component authData Login Endpoint. The manipulation with an unknown input leads to a toctou vulnerability. CWE is classifying the issue as CWE-367. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. This is going to have an impact on integrity. The summary by CVE is:

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.

The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-34224 since 03/26/2026. The exploitability is told to be difficult. It is possible to initiate the attack remotely. Additional levels of successful authentication are required for exploitation. Neither technical details nor an exploit are publicly available.

Upgrading to version 8.6.64 or 9.7.0-alpha.8 eliminates this vulnerability. Applying the patch 661f160edac8daac0486bc94413cf9652876ab92 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• parse-community

Name

• parse-server

Version

• 8.6.0
• 8.6.1
• 8.6.2
• 8.6.3
• 8.6.4
• 8.6.5
• 8.6.6
• 8.6.7
• 8.6.8
• 8.6.9
• 8.6.10
• 8.6.11
• 8.6.12
• 8.6.13
• 8.6.14
• 8.6.15
• 8.6.16
• 8.6.17
• 8.6.18
• 8.6.19
• 8.6.20
• 8.6.21
• 8.6.22
• 8.6.23
• 8.6.24
• 8.6.25
• 8.6.26
• 8.6.27
• 8.6.28
• 8.6.29
• 8.6.30
• 8.6.31
• 8.6.32
• 8.6.33
• 8.6.34
• 8.6.35
• 8.6.36
• 8.6.37
• 8.6.38
• 8.6.39
• 8.6.40
• 8.6.41
• 8.6.42
• 8.6.43
• 8.6.44
• 8.6.45
• 8.6.46
• 8.6.47
• 8.6.48
• 8.6.49
• 8.6.50
• 8.6.51
• 8.6.52
• 8.6.53
• 8.6.54
• 8.6.55
• 8.6.56
• 8.6.57
• 8.6.58
• 8.6.59
• 8.6.60
• 8.6.61
• 8.6.62
• 8.6.63
• 9.7.0-alpha.0
• 9.7.0-alpha.1
• 9.7.0-alpha.2
• 9.7.0-alpha.3
• 9.7.0-alpha.4
• 9.7.0-alpha.5
• 9.7.0-alpha.6
• 9.7.0-alpha.7

License

• open-source

Website

• Product: https://github.com/parse-community/parse-server/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion