CVE-2026-32943

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.28 and 8.6.48

Description Parse Server, an open-source backend deployable on Node.js infrastructures, has an issue in its password reset mechanism. The system does not guarantee single-use tokens for password resets. An attacker intercepting a reset token can potentially race a legitimate user's password reset request, successfully changing the password to one controlled by the attacker. This could lead the legitimate user to believe their password change was successful, while the attacker gains access. The issue affects all Parse Server deployments utilizing the password reset feature. The password reset token is now atomically validated and consumed as part of the password update operation in versions 9.6.0-alpha.28 and 8.6.48. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token.

Recommendations Parse Server versions prior to 9.6.0-alpha.28 should be upgraded. Parse Server versions prior to 8.6.48 should be upgraded.