CVE-2026-43930 Overview
CVE-2026-43930 is a race condition vulnerability in Parse Server, an open source Node.js backend. The flaw resides in the multi-factor authentication (MFA) SMS one-time password (OTP) login path. Two concurrent /login requests carrying the same OTP can both succeed and receive valid session tokens, breaking the single-use property of the OTP. The issue affects Parse Server versions prior to 8.6.76 and 9.9.0-alpha.2. The vulnerability is tracked under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).
Critical Impact
An attacker who already possesses the victim's password and intercepts the active SMS OTP can race the legitimate login request to obtain a valid session token, defeating the single-use guarantee of MFA OTPs.
Affected Products
- Parse Server versions prior to 8.6.76
- Parse Server 9.x versions prior to 9.9.0-alpha.2
- Deployments using SMS-based MFA OTP authentication
Discovery Timeline
- 2026-05-12 - CVE-2026-43930 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43930
Vulnerability Analysis
The vulnerability is a race condition in the MFA SMS OTP verification flow. Parse Server's login handler validates the submitted OTP against the stored value, then marks the OTP as consumed. The check and the update are not performed atomically. Two requests presenting the same OTP within a narrow time window can both pass the validation step before either marks the OTP as used. Both requests then proceed to issue valid session tokens.
The impact is limited because exploitation requires the attacker to already hold the victim's password and intercept the active SMS OTP. Interception channels include SIM swap, network mirroring, or phishing relay. The attacker must also race the legitimate user's login request, which narrows the practical attack surface. Successful exploitation yields an authenticated session token in parallel with the legitimate user, without alerting the user that their second factor was compromised.
Root Cause
The root cause is a Time-of-Check to Time-of-Use (TOCTOU) flaw in the OTP verification routine. The OTP lookup, validation, and invalidation operations are not wrapped in an atomic database transaction or guarded by a lock. Concurrent requests therefore observe the same valid OTP state and both transition the user to an authenticated session. The single-use semantics of OTPs depend on atomic check-and-consume, which the affected code path does not enforce.
Attack Vector
The attack requires network access to the Parse Server /login endpoint and prior compromise of the victim's password and SMS OTP. The attacker submits a login request containing the captured OTP at the same moment the victim submits theirs. If both requests reach the OTP validation logic before either consumes the OTP, both receive valid session tokens. The attacker gains persistent authenticated access without invalidating the victim's session.
No public exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.033%, reflecting the narrow preconditions for exploitation.
Detection Methods for CVE-2026-43930
Indicators of Compromise
- Two or more successful /login responses for the same user account within a sub-second window
- Multiple active session tokens issued for a single user immediately following an MFA challenge
- Login success events from geographically or network-distinct sources within the OTP validity window
Detection Strategies
- Audit Parse Server authentication logs for concurrent login successes referencing the same OTP identifier or MFA challenge ID
- Correlate session creation events by user ID and timestamp to surface duplicate issuance within the OTP lifetime
- Alert on MFA login completions originating from two distinct client IP addresses or user agents within seconds of each other
Monitoring Recommendations
- Forward Parse Server application logs to a centralized logging platform with alerting on duplicate session issuance
- Track SMS OTP generation and consumption events with one-to-one cardinality checks
- Monitor for SIM swap indicators and phishing relay activity targeting accounts with SMS-based MFA
How to Mitigate CVE-2026-43930
Immediate Actions Required
- Upgrade Parse Server to version 8.6.76 or 9.9.0-alpha.2 or later
- Review authentication logs since deployment for evidence of duplicate session issuance during MFA flows
- Revoke active sessions for any account showing anomalous concurrent logins and force re-authentication
Patch Information
The fix is delivered in Parse Server 8.6.76 and 9.9.0-alpha.2. The patches enforce atomic check-and-consume semantics on the SMS OTP during login. Technical details are available in GitHub Pull Request #10448, GitHub Pull Request #10449, and the GitHub Security Advisory GHSA-jpq4-7fmq-q5fj.
Workarounds
- Migrate from SMS-based MFA to a TOTP authenticator app or hardware security key where supported
- Place a rate limiter or single-flight gate in front of the /login endpoint to serialize concurrent requests per user
- Shorten the SMS OTP validity window to reduce the race timing margin available to an attacker
# Upgrade Parse Server to a patched release
npm install parse-server@8.6.76
# or for the 9.x line
npm install parse-server@9.9.0-alpha.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
