CVE-2026-34224 Overview
Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js, contains a race condition vulnerability in its multi-factor authentication (MFA) implementation. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint.
This vulnerability defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. The flaw stems from a Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-367) in the authentication handling logic.
Critical Impact
Attackers can bypass single-use MFA token controls and establish persistent access to user accounts, maintaining unauthorized sessions even after legitimate session revocation attempts.
Affected Products
- Parse Server versions prior to 8.6.64 (stable branch)
- Parse Server versions 9.7.0-alpha1 through 9.7.0-alpha7
- All Parse Server deployments using MFA with recovery codes or SMS OTP
Discovery Timeline
- March 31, 2026 - CVE-2026-34224 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34224
Vulnerability Analysis
The vulnerability exists in the authData login endpoint of Parse Server where MFA token validation and session creation are not handled atomically. When concurrent login requests are submitted with the same valid MFA recovery code or SMS one-time password, the server processes these requests in parallel without proper synchronization.
The root cause is a classic Time-of-Check Time-of-Use (TOCTOU) race condition. Between the moment Parse Server validates the MFA token and the moment it invalidates that token, multiple concurrent requests can pass the validation check and create separate authenticated sessions—all using the same single-use credential.
This vulnerability requires network access and depends on the attacker already possessing valid authentication provider tokens along with a single MFA recovery code or SMS OTP. The attack complexity is high due to the precise timing required for concurrent request submission, but successful exploitation allows for persistent unauthorized access.
Root Cause
The vulnerability is classified under CWE-367 (Time-of-Check Time-of-Use Race Condition). The RestWrite.js module in Parse Server did not properly capture and protect the original authData state before processing mutations during the login flow.
When processing authData login requests, the server would:
- Validate the MFA token against the stored user data
- Create a new authenticated session
- Invalidate the MFA token
The problem occurred because step 1 could complete for multiple concurrent requests before any of them reached step 3, allowing all requests to create valid sessions from a single-use token.
Attack Vector
The attack requires network access to the Parse Server authData login endpoint. An attacker must first obtain a valid authentication provider token (through legitimate means or prior compromise) and a single MFA recovery code or SMS one-time password. By sending multiple concurrent login requests with these credentials, the attacker can establish multiple authenticated sessions.
The security patch addresses this by capturing the original authData state before any mutations occur:
// We are supposed to have a response only on LOGIN with authData, so we skip those
// If we're not logging in, but just updating the current user, we can safely skip that part
if (this.response) {
+ // Capture original authData before mutating userResult via the response reference
+ const originalAuthData = userResult?.authData
+ ? Object.fromEntries(
+ Object.entries(userResult.authData).map(([k, v]) =>
+ [k, v && typeof v === 'object' ? { ...v } : v]
+ )
+ )
+ : undefined;
+
// Assign the new authData in the response
Object.keys(mutatedAuthData).forEach(provider => {
this.response.response.authData[provider] = mutatedAuthData[provider];
Source: GitHub Commit
Detection Methods for CVE-2026-34224
Indicators of Compromise
- Multiple authenticated sessions created for the same user within milliseconds of each other
- Login attempts with identical MFA recovery codes or SMS OTP values occurring in rapid succession
- Unusual patterns of concurrent requests to the authData login endpoint from the same source
- Session persistence for accounts where the legitimate user has attempted session revocation
Detection Strategies
- Monitor authentication logs for concurrent login attempts with identical MFA credentials within short time windows (sub-second intervals)
- Implement alerting on multiple successful MFA authentications for the same user account within a configurable threshold period
- Analyze request timing patterns to the /parse/login and authData endpoints for signs of automated concurrent submissions
Monitoring Recommendations
- Enable detailed logging for all MFA-related authentication events including timestamps with millisecond precision
- Configure SIEM rules to correlate rapid successive session creation events per user account
- Monitor for anomalous session counts per user that may indicate exploitation of this race condition
How to Mitigate CVE-2026-34224
Immediate Actions Required
- Upgrade Parse Server to version 8.6.64 or later for stable deployments immediately
- Upgrade Parse Server to version 9.7.0-alpha.8 or later for alpha branch deployments
- Audit existing user sessions for signs of exploitation, particularly accounts with multiple concurrent session creation events
- Review authentication logs for suspicious patterns of concurrent MFA token usage
Patch Information
Parse Platform has released security patches addressing this vulnerability. The fix ensures that the original authData state is captured before any mutations during the authentication flow, preventing the race condition that allowed MFA token reuse.
For detailed patch information, refer to:
- GitHub Pull Request #10326 (stable branch)
- GitHub Pull Request #10327 (alpha branch)
- GitHub Security Advisory GHSA-w73w-g5xw-rwhf
Workarounds
- Implement rate limiting on the authData login endpoint to prevent rapid concurrent authentication attempts
- Add application-level mutex or locking mechanisms around MFA validation if immediate patching is not feasible
- Consider temporarily disabling MFA recovery code functionality until the patch can be applied, relying on alternative recovery mechanisms
# Configuration example for rate limiting (using nginx as reverse proxy)
# Add to your nginx configuration for Parse Server endpoints
limit_req_zone $binary_remote_addr zone=parse_auth:10m rate=2r/s;
location /parse/login {
limit_req zone=parse_auth burst=5 nodelay;
proxy_pass http://parse-server:1337;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
