CVE-2026-33624

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33624

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33624.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33624

Aliases

Published

2026-03-24T18:28:52.114Z

Modified

2026-04-10T05:42:50.575586Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server: MFA recovery code single-use bypass via concurrent requests

Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33624.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-367"
    ]
}

References

Affected packages

Git / github.com/parse-community/parse-server

Affected ranges

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

Fixed

372a6cc6134c17e4869090a9043b086ddfdcc526

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.6.60"
        }
    ]
}

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

532a461d30a6ed4457839f2caf5f30d5abf51a55

Fixed

e521eb22c551f500e70bf61915677ad3101ef73e

Database specific

{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.6.0-alpha.54"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.2

2.2.20

2.2.21

2.2.22

2.2.23

2.2.24

2.2.25

2.2.25-beta.1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.8.0

2.8.2

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.1.3

3.10.0

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.7.1

3.7.2

3.8.0

3.9.0

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

4.4.0

4.5.0

5.*

5.0.0

5.0.0-alpha.1

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.3.0

5.3.1

5.3.2

5.3.3

5.4.0

6.*

6.0.0

6.1.0

6.2.0

6.2.1

6.2.2

6.3.0

6.3.1

6.4.0

7.*

7.0.0

7.1.0

7.2.0

7.3.0

7.4.0

8.*

8.0.0

8.0.1

8.0.2

8.1.0

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.3.0

8.4.0

8.5.0

8.6.0

8.6.1

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.6.19

8.6.2

8.6.20

8.6.21

8.6.22

8.6.23

8.6.24

8.6.25

8.6.26

8.6.27

8.6.28

8.6.29

8.6.3

8.6.30

8.6.31

8.6.32

8.6.33

8.6.34

8.6.35

8.6.36

8.6.37

8.6.38

8.6.39

8.6.4

8.6.40

8.6.41

8.6.42

8.6.43

8.6.44

8.6.45

8.6.46

8.6.47

8.6.48

8.6.49

8.6.5

8.6.50

8.6.51

8.6.52

8.6.53

8.6.54

8.6.55

8.6.56

8.6.57

8.6.58

8.6.59

8.6.6

8.6.7

8.6.8

8.6.9

9.*

9.0.0

9.1.0

9.1.1

9.2.0

9.3.0

9.3.1

9.4.0

9.4.1

9.5.0

9.5.1

9.5.2-alpha.1

9.5.2-alpha.10

9.5.2-alpha.11

9.5.2-alpha.12

9.5.2-alpha.13

9.5.2-alpha.14

9.5.2-alpha.2

9.5.2-alpha.3

9.5.2-alpha.4

9.5.2-alpha.5

9.5.2-alpha.6

9.5.2-alpha.7

9.5.2-alpha.8

9.5.2-alpha.9

9.6.0-alpha.1

9.6.0-alpha.10

9.6.0-alpha.11

9.6.0-alpha.12

9.6.0-alpha.13

9.6.0-alpha.14

9.6.0-alpha.15

9.6.0-alpha.16

9.6.0-alpha.17

9.6.0-alpha.18

9.6.0-alpha.19

9.6.0-alpha.2

9.6.0-alpha.20

9.6.0-alpha.21

9.6.0-alpha.22

9.6.0-alpha.23

9.6.0-alpha.24

9.6.0-alpha.25

9.6.0-alpha.26

9.6.0-alpha.27

9.6.0-alpha.28

9.6.0-alpha.29

9.6.0-alpha.3

9.6.0-alpha.30

9.6.0-alpha.31

9.6.0-alpha.32

9.6.0-alpha.33

9.6.0-alpha.34

9.6.0-alpha.35

9.6.0-alpha.36

9.6.0-alpha.37

9.6.0-alpha.38

9.6.0-alpha.39

9.6.0-alpha.4

9.6.0-alpha.40

9.6.0-alpha.41

9.6.0-alpha.42

9.6.0-alpha.43

9.6.0-alpha.44

9.6.0-alpha.45

9.6.0-alpha.46

9.6.0-alpha.47

9.6.0-alpha.48

9.6.0-alpha.49

9.6.0-alpha.5

9.6.0-alpha.50

9.6.0-alpha.51

9.6.0-alpha.52

9.6.0-alpha.53

9.6.0-alpha.6

9.6.0-alpha.7

9.6.0-alpha.8

9.6.0-alpha.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33624.json"