CVE-2026-34224 in parse-server
摘要 (英语)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
负责
GitHub_M
预定
2026-03-26
披露
2026-03-31
状态
已确认
条目
VulDB provides additional information and datapoints for this CVE:
| 标识符 | 漏洞 | CWE | 可利用 | 对策 | CVE |
|---|---|---|---|---|---|
| 354417 | parse-community parse-server authData Login 竞争条件 | 367 | 未定义 | 官方修复 | CVE-2026-34224 |