Vulnerability in Parse-community Parse-server

CVE-2026-33624

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that re…

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)

EPSS: 0.000 (9.9th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.60, >= 9.0.0, < 9.6.0-alpha.54

Weakness classification (CWE)

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10275 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10276 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c (x_refsource_MISC)