CVE-2026-43930 parse-community CVE debrief

Who should care

Organizations running Parse Server versions prior to 8.6.76 or 9.9.0-alpha.2 with SMS-based MFA enabled. Security teams monitoring for authentication bypass techniques. Infrastructure operators with Parse Server deployments handling sensitive user sessions.

Technical summary

The vulnerability is a race condition (CWE-362) in the multi-factor authentication SMS one-time password login flow. When two /login requests containing the same OTP are submitted concurrently, both requests can succeed and generate valid session tokens. This breaks the fundamental single-use guarantee of OTPs. The root cause appears to be insufficient synchronization or validation during the OTP consumption check. The fix in versions 8.6.76 and 9.9.0-alpha.2 implements proper atomicity in the OTP validation and consumption process.

Defensive priority

LOW

Recommended defensive actions

• Upgrade Parse Server to version 8.6.76 or later, or 9.9.0-alpha.2 or later for the 9.x branch
• Review authentication logs for concurrent /login requests with identical OTP values that both succeeded prior to patching
• Consider implementing additional rate limiting or concurrency controls on the /login endpoint as defense in depth
• Evaluate MFA methods beyond SMS OTP where practical, given inherent risks of SMS interception
• Monitor for indicators of OTP interception such as unexpected login locations or rapid successive authentication attempts

Evidence notes

The vulnerability description and affected version ranges are derived from the official CVE record and NVD entry. The race condition affects the MFA SMS OTP login path specifically. Fix versions 8.6.76 and 9.9.0-alpha.2 are confirmed by vendor security advisory. CVSS 4.0 vector indicates network attack vector with high attack complexity and high privileges required.

Official resources