CVE-2026-33624 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability categorized under CWE-367, found in the parse-community parse-server, an open-source backend platform running on Node.js. The flaw exists in the handling of MFA recovery codes during user authentication. Specifically, prior to versions 8.6.60 and 9.6.0-alpha.54, the system fails to properly synchronize the validation and consumption of MFA recovery codes. An attacker who has obtained both the user's password and a single valid MFA recovery code can send multiple concurrent login requests within milliseconds. Due to the race condition, the recovery code is not invalidated immediately upon first use, allowing it to be reused multiple times contrary to its intended single-use design. This undermines the security guarantees of MFA recovery codes, potentially allowing repeated account access using the same recovery code. However, exploitation requires possession of the user's password and a valid recovery code, as well as the capability to send rapid concurrent requests, making it a targeted attack vector. The vulnerability does not allow bypassing authentication without credentials. The issue has been patched in parse-server versions 8.6.60 and 9.6.0-alpha.54. The CVSS 4.0 base score is 2.1, reflecting low severity due to the high attack complexity and prerequisite credentials. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the compromise of the intended single-use nature of MFA recovery codes. Attackers who have already obtained user credentials and a recovery code can reuse the recovery code multiple times to regain access to the account, potentially bypassing intended security controls. This could facilitate persistent unauthorized access, account takeover, or further lateral movement within an organization’s systems. While the vulnerability does not allow initial credential compromise, it weakens the security posture of MFA mechanisms, which are critical for protecting sensitive data and services. Organizations relying on parse-server for backend services, especially those managing sensitive user data or critical applications, may face increased risk of account abuse and reduced trust in MFA protections. The low CVSS score indicates limited impact scope and exploitation difficulty, but the risk is significant in environments where credential theft is possible or where attackers can perform high-speed concurrent requests.

Organizations should immediately upgrade parse-server to version 8.6.60 or later, or 9.6.0-alpha.54 or later, where the race condition has been fixed. In addition to patching, administrators should monitor authentication logs for unusual patterns of concurrent login attempts using MFA recovery codes, which may indicate exploitation attempts. Implementing rate limiting or throttling on login endpoints can reduce the feasibility of rapid concurrent requests needed to exploit this vulnerability. Educate users on safeguarding their passwords and MFA recovery codes to prevent credential theft. Consider deploying additional anomaly detection systems to flag suspicious authentication behaviors. For environments where immediate patching is not feasible, temporarily disabling MFA recovery codes or enforcing stricter session management policies may reduce risk. Finally, ensure that incident response plans include procedures for handling potential MFA recovery code abuse.