CVE-2026-31875

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.7 Parse Server versions prior to 8.6.33

Description Parse Server, a backend deployable on Node.js infrastructures, is affected by an issue where recovery codes for multi-factor authentication (MFA) via TOTP are not consumed after use. This allows an attacker who obtains a single recovery code to repeatedly authenticate as the affected user without the code being invalidated, undermining the intended single-use design and weakening the security of MFA-protected accounts. The issue arises when MFA via TOTP is enabled for a user account, and Parse Server generates two single-use recovery codes intended as a fallback when a TOTP token is unavailable.

Recommendations Versions prior to 9.6.0-alpha.7 should be updated to version 9.6.0-alpha.7 or later. Versions prior to 8.6.33 should be updated to version 8.6.33 or later.