CVE-2026-31875

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.33	Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7	Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6::::node.js::*

History

No history.

Information

Published : 2026-03-11 18:16

Updated : 2026-03-13 17:15

NVD link : CVE-2026-31875

Mitre link : CVE-2026-31875

CVE.ORG link : CVE-2026-31875

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-672

Operation on a Resource after Expiration or Release

{"id": "CVE-2026-31875", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-11T18:16:27.003", "references": [{"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-672"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.6.0-alpha.7 y 8.6.33, cuando la autenticaci\u00f3n multifactor (MFA) v\u00eda TOTP est\u00e1 habilitada para una cuenta de usuario, Parse Server genera dos c\u00f3digos de recuperaci\u00f3n de un solo uso. Estos c\u00f3digos est\u00e1n destinados como un mecanismo de respaldo cuando el usuario no puede proporcionar un token TOTP. Sin embargo, los c\u00f3digos de recuperaci\u00f3n no se consumen despu\u00e9s de su uso, permitiendo que el mismo c\u00f3digo de recuperaci\u00f3n sea utilizado un n\u00famero ilimitado de veces. Esto anula el dise\u00f1o de un solo uso de los c\u00f3digos de recuperaci\u00f3n y debilita la seguridad de las cuentas protegidas por MFA. Un atacante que obtiene un solo c\u00f3digo de recuperaci\u00f3n puede autenticarse repetidamente como el usuario afectado sin que el c\u00f3digo sea invalidado. Esta vulnerabilidad est\u00e1 corregida en 9.6.0-alpha.7 y 8.6.33."}], "lastModified": "2026-03-13T17:15:25.833", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9B6904FF-E42E-4699-BA2C-0ABFB03D6F68", "versionEndExcluding": "8.6.33"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A", "versionEndExcluding": "9.6.0", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EDC98AF7-8620-4A25-9BE5-623672599677"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DF340605-8CC8-4543-9F5D-E8602D258CED"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A052DFCA-EDCC-43D7-82C7-E5311F6F7687"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "12B11714-B961-4330-B241-FC5AF94FDBE8"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "37A7C42B-4986-4BB6-BB27-0324A9AA1CFF"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}