CVE-2026-34224

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.64 Parse Server versions prior to 9.7.0-alpha.8

Description Parse Server is an open source backend deployable on Node.js infrastructure. An attacker with a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This bypasses the single-use restriction of MFA recovery codes and SMS one-time passwords, enabling session persistence even after the legitimate user revokes detected sessions. The fix implements optimistic locking on the authData login path, preventing concurrent database updates when the MFA token array has been altered by another request.

Recommendations Update to Parse Server version 8.6.64 or later. Update to Parse Server version 9.7.0-alpha.8 or later.