CVE-2026-32943 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, found in the password reset mechanism of parse-community's parse-server, an open-source backend platform for Node.js environments. In affected versions (>= 9.0.0, < 9.6.0-alpha.28 and < 8.6.48), the password reset tokens are not enforced as single-use tokens atomically. When a user requests a password reset, a token is generated and sent to the user. However, due to the race condition, multiple concurrent requests using the same token can be processed before the token is invalidated. An attacker who intercepts or obtains the reset token can exploit this by racing the legitimate password reset request, causing both requests to succeed. This results in the attacker’s password being set instead of the legitimate user’s, effectively hijacking the account. The root cause is that the token validation and consumption are not atomic operations, allowing a window where multiple requests can validate the same token. The fix implemented in versions 9.6.0-alpha.28 and 8.6.48 involves atomically validating and consuming the token within the password update database query, ensuring only one request can succeed with the token. This eliminates the race window and enforces single-use token semantics. There are no known workarounds other than upgrading to the fixed versions. No exploits are currently known in the wild. The vulnerability’s CVSS 4.0 score is 2.3, reflecting a low severity due to the complexity of exploitation, requirement for user interaction, and lack of impact on confidentiality or availability beyond the affected account’s integrity.

The primary impact of this vulnerability is unauthorized account takeover through the password reset mechanism. An attacker who intercepts a reset token can replace the legitimate user’s password, locking out the rightful owner and gaining full access to the account. This compromises the integrity of user accounts and can lead to further exploitation such as data theft, privilege escalation, or fraudulent activities within the compromised account. Organizations relying on parse-server for backend services that include user authentication and password reset functionality are at risk. The impact is limited to accounts where password reset tokens can be intercepted, which may require network-level access or phishing. There is no direct impact on system-wide availability or confidentiality beyond the affected accounts. However, compromised accounts in sensitive environments can lead to significant operational and reputational damage. Since parse-server is widely used in various applications worldwide, any organization using vulnerable versions should consider the risk significant for their user base. The low CVSS score reflects the difficulty of exploitation and limited scope, but the targeted impact on account integrity can be severe for affected users.

The only effective mitigation is to upgrade parse-server to version 9.6.0-alpha.28 or later, or 8.6.48 or later, where the password reset token consumption is atomic and race conditions are eliminated. Organizations should audit their deployments to identify affected versions and plan immediate upgrades. Until upgraded, organizations should monitor password reset activities for anomalies such as multiple reset attempts in a short time frame and consider additional logging and alerting on reset token usage. Implementing network-level protections to prevent interception of reset tokens, such as enforcing HTTPS/TLS for all communications and using secure email delivery mechanisms, can reduce the risk of token interception. Additionally, educating users about phishing risks and encouraging multi-factor authentication (MFA) can mitigate the impact of compromised accounts. However, these are compensating controls and do not fix the underlying vulnerability. No configuration changes or patches other than upgrading are available. Testing the upgrade in staging environments before production deployment is recommended to ensure compatibility.