CVE-2026-33624

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.60 Parse Server versions prior to 9.6.0-alpha.54

Description An attacker with a user's password and a valid multi-factor authentication (MFA) recovery code can reuse the recovery code an unlimited number of times by sending concurrent login requests. This circumvents the intended single-use functionality of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send requests rapidly. The issue stems from a lack of proper handling of single-use tokens during login attempts. The login handler did not employ optimistic locking when updating authentication data containing consumed single-use tokens, allowing concurrent requests to bypass the single-use restriction.

Recommendations Update to Parse Server version 8.6.60 or later. Update to Parse Server version 9.6.0-alpha.54 or later.