Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.64 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc944Patch
- https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fbPatch
- https://github.com/parse-community/parse-server/pull/10326Issue TrackingPatch
- https://github.com/parse-community/parse-server/pull/10327Issue TrackingPatch
- https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5PatchVendor Advisory
FAQ
What is CVE-2026-34224?
CVE-2026-34224 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication pro...
How severe is CVE-2026-34224?
CVE-2026-34224 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34224?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.