CVE-2026-43930

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.76 Parse Server versions prior to 9.9.0-alpha.2

Description A race condition exists in the MFA SMS one-time password (OTP) login path. This allows two concurrent requests to the '/login' endpoint using the same OTP to both succeed and receive valid session tokens, which violates the single-use requirement of the OTP. For this to be exploited, an attacker must already have the victim's password and intercept the active SMS OTP through methods such as SIM swapping, network mirroring, or phishing relays, and then execute the request simultaneously with the legitimate user.

Recommendations Update to version 8.6.76. Update to version 9.9.0-alpha.2. Disable SMS MFA and use TOTP instead. Implement a rate limiter on the '/login' endpoint to reduce concurrent-request burst capacity.