DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33624: CVE-2026-33624: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Parse Server MFA Recovery

#security #cve #cybersecurity

CVE-2026-33624: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Parse Server MFA Recovery

Vulnerability ID: CVE-2026-33624
CVSS Score: 2.1
Published: 2026-03-24

Parse Server versions prior to 8.6.60 and 9.6.0-alpha.54 contain a Time-of-check Time-of-use (TOCTOU) race condition in the Multi-Factor Authentication (MFA) recovery mechanism. By issuing concurrent login requests, an attacker possessing a user's password and a single valid MFA recovery code can establish multiple active sessions, bypassing the intended single-use restriction of the recovery code.

TL;DR

A race condition in Parse Server allows an attacker to bypass the single-use restriction of MFA recovery codes by sending concurrent login requests, allowing multiple sessions to be established with one code.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE ID: CWE-367
  • CVSS v4.0 Score: 2.1 (Low)
  • Attack Vector: Network
  • Exploit Status: Proof of Concept (PoC) Available
  • CISA KEV: Not Listed

Affected Systems

  • Parse Server Backend
  • parse-server: < 8.6.60 (Fixed in: 8.6.60)
  • parse-server: >= 9.0.0, < 9.6.0-alpha.54 (Fixed in: 9.6.0-alpha.54)

Code Analysis

Commit: 5e70094

Fix for MFA recovery code TOCTOU via optimistic locking

Commit: fc3da35

Additional test coverage and fixes for concurrent MFA login

Mitigation Strategies

  • Update Parse Server to version 8.6.60 or 9.6.0-alpha.54.
  • Ensure backend database adapters (MongoDB/PostgreSQL) are updated to support the new dot-notation optimistic locking queries.
  • Monitor application logs for sudden bursts of concurrent login requests to detect exploitation attempts.

Remediation Steps:

  1. Identify the current running version of Parse Server via package.json or deployment metadata.
  2. Update the parse-server dependency to >= 8.6.60 (for 8.x users) or >= 9.6.0-alpha.54 (for 9.x users).
  3. Execute integration tests to ensure that MFA mechanisms function correctly with the updated database adapters.
  4. Deploy the updated application to production environments.
  5. Invalidate all active sessions for accounts suspected of credential compromise to eliminate redundant tokens.

References

Read the full report for CVE-2026-33624 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)