Vulnerability in Parse-community Parse-server

CVE-2026-34224

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery c…

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)

EPSS: 0.000 (5.5th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.64, >= 9.0.0, < 9.7.0-alpha.8

Weakness classification (CWE)

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10326 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10327 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf (x_refsource_MISC)