Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/pull/10448
- https://github.com/parse-community/parse-server/pull/10449
- https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7f
FAQ
What is CVE-2026-43930?
CVE-2026-43930 is a documented vulnerability. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login...
How severe is CVE-2026-43930?
CVSS scoring is not yet available for CVE-2026-43930. Check NVD for updates.
Is there a patch for CVE-2026-43930?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.