LOW
parse-community
CVE published 2026-05-12
CVE-2026-43930
A race condition in Parse Server's MFA SMS OTP login path allows two concurrent /login requests with the same OTP to both succeed, violating the single-use property of one-time passwords. The vulnerability exists in versions prior to 8.6.76 and 9.9.0-alpha.2. Exploitation requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g., via SIM swap, network mirror, or [truncated]