Parse Server, an open-source backend platform running on Node.js, contained a time-of-check to time-of-use (TOCTOU) race condition vulnerability (CVE-2026-32943) in its password reset mechanism prior to versions 9.6.0-alpha.28 and 8.6.48. When a user requests a password reset, a token is generated and intended for single use. However, the affected versions did not enforce atomic consumption of this token, allowing multiple concurrent requests to use the same token within a short time window. An attacker who intercepts or obtains the reset token can initiate a race condition by submitting a password reset request simultaneously with the legitimate user. Due to the lack of atomic validation and consumption, both requests may succeed, but the attacker’s password reset can override the legitimate user’s change. This undermines account integrity and can lead to unauthorized account takeover. The root cause is the separation of token validation and password update operations, which allowed multiple successful consumptions of the same token. The fix implemented in versions 9.6.0-alpha.28 and 8.6.48 involves atomically validating and consuming the reset token as part of the password update database query, ensuring only one request can succeed. No alternative mitigations exist other than upgrading to these fixed versions. The vulnerability is classified under CWE-367 (Time-of-check Time-of-use Race Condition) and has a CVSS 4.0 score of 2.3, reflecting low severity due to the need for user interaction and the complexity of exploitation. No known exploits are currently in the wild.

This vulnerability can lead to unauthorized account takeover by allowing an attacker who intercepts a password reset token to race the legitimate user’s reset request and set their own password instead. This compromises the integrity of user accounts and can result in loss of control over user data and services protected by parse-server authentication. Organizations relying on parse-server for backend services, especially those handling sensitive user data or critical applications, face risks of account compromise and potential downstream impacts such as data breaches or service misuse. Although exploitation requires interception of a reset token and concurrent request timing, the risk is significant in environments where network traffic can be monitored or intercepted, such as unsecured networks or compromised infrastructure. The vulnerability does not affect confidentiality or availability directly but undermines trust in authentication mechanisms. The low CVSS score reflects the complexity and limited scope, but the impact on affected accounts can be severe. Without upgrading, all deployments using the vulnerable versions remain exposed.

The primary and only effective mitigation is to upgrade parse-server to version 9.6.0-alpha.28 or later, or 8.6.48 or later, where the password reset token consumption is atomic and race conditions are prevented. Organizations should audit their parse-server deployments to identify affected versions and prioritize patching. Additionally, monitoring password reset logs for unusual concurrent reset attempts may help detect exploitation attempts. Implementing network security controls such as TLS encryption and secure token transmission can reduce the risk of token interception. Where upgrading is not immediately possible, consider restricting access to password reset endpoints via network controls or additional authentication layers, though this is not a full mitigation. Educating users to report suspicious password reset activity can also aid in early detection. Finally, reviewing and enhancing overall token management and authentication workflows to ensure atomic operations can prevent similar issues in other components.