CVE-2026-33624 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, found in parse-community's parse-server, an open-source backend platform running on Node.js. The flaw exists in the handling of multi-factor authentication (MFA) recovery codes during login. Normally, MFA recovery codes are designed for single use to regain account access if the primary MFA device is unavailable. However, in affected versions (<8.6.60 and >=9.0.0 but <9.6.0-alpha.54), an attacker who has already obtained a user's password and one valid MFA recovery code can exploit a race condition by sending multiple concurrent login requests within milliseconds. Due to the TOCTOU issue, the server fails to properly invalidate the recovery code after the first use, allowing unlimited reuse of the same recovery code. This undermines the security model of MFA recovery codes, potentially enabling attackers to bypass intended single-use restrictions and maintain persistent unauthorized access. The attack requires possession of sensitive credentials (password and recovery code) and the ability to send highly concurrent requests rapidly, making exploitation complex. The vulnerability does not require user interaction beyond the attacker’s own actions and does not affect confidentiality, integrity, or availability beyond the compromised account. The issue has been addressed in parse-server versions 8.6.60 and 9.6.0-alpha.54 by fixing the race condition to ensure atomic invalidation of recovery codes. No known exploits have been reported in the wild, and the CVSS 4.0 score is 2.1, reflecting low severity due to the high attack complexity and prerequisite credentials.

The primary impact of this vulnerability is the potential for unauthorized persistent access to user accounts protected by MFA in affected parse-server deployments. Attackers who have obtained both a user's password and a single MFA recovery code can bypass the single-use restriction on recovery codes, allowing repeated account access without needing additional recovery codes. This compromises the integrity of the MFA mechanism, reducing the effectiveness of multi-factor authentication and increasing the risk of account takeover. For organizations relying on parse-server for backend services, especially those handling sensitive user data or critical applications, this could lead to unauthorized data access, fraud, or further lateral movement within their systems. However, the requirement for attacker possession of both password and recovery code, combined with the need for precise timing to exploit the race condition, limits the practical impact. There is no direct impact on system availability or broader network infrastructure. The vulnerability mainly affects user account security and trust in MFA recovery processes.

Organizations should immediately upgrade parse-server to version 8.6.60 or later, or 9.6.0-alpha.54 or later, where the race condition has been fixed. Until upgrades can be applied, administrators should consider disabling MFA recovery codes or implementing additional monitoring for unusual login patterns indicative of concurrent login attempts using recovery codes. Rate limiting or throttling concurrent login requests may reduce the feasibility of exploiting the race condition. Additionally, enforcing strong password policies and encouraging users to protect their recovery codes securely can reduce the risk of credential compromise. Implementing anomaly detection to flag multiple rapid login attempts with recovery codes can help detect exploitation attempts. Finally, educating users about the importance of safeguarding MFA recovery codes and passwords is critical to prevent attackers from obtaining the necessary credentials.