What is CVE-2026-43930?

CVE-2026-43930 is a medium-severity vulnerability in Parse-community Parse-server, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 5.9/10. Published 2026-05-12.

How severe is CVE-2026-43930?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Vulnerability in Parse-community Parse-server

CVE-2026-43930

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requ…

Vulnerability class: Race Condition

EPSS: 0.000 (1.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Parse-community Parse-server — versions >= 9.0.0, < 9.9.0-alpha.2, < 8.6.76
Parseplatform Parse-server — versions 9.9.0

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)
security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)
security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)

Frequently asked questions

What is CVE-2026-43930?: CVE-2026-43930 is a medium-severity vulnerability in Parse-community Parse-server, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 5.9/10. Published 2026-05-12.
How severe is CVE-2026-43930?: Medium severity. CVSS v3 base score is 5.9 out of 10.