CVE-2026-34224 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, found in the parse-community parse-server, an open-source backend platform for Node.js environments. The flaw exists in the authentication mechanism, specifically in the handling of multi-factor authentication (MFA) recovery codes and SMS one-time passwords (OTPs) during login via the authData endpoint. An attacker who already possesses a valid authentication provider token along with a single MFA recovery code or SMS OTP can exploit this vulnerability by sending multiple concurrent login requests. Due to the race condition, the server fails to enforce the single-use guarantee of these MFA tokens, allowing the attacker to create multiple authenticated sessions simultaneously. This undermines the security model by enabling session persistence even after the legitimate user revokes sessions, potentially allowing unauthorized access to protected resources. The vulnerability affects parse-server versions earlier than 8.6.64 and versions from 9.0.0 up to but not including 9.7.0-alpha.8, where the issue has been patched. The CVSS 4.0 score is 2.1, reflecting a low severity primarily because exploitation requires possession of valid credentials and high attack complexity. No known exploits have been reported in the wild, but the vulnerability poses a risk to environments relying on MFA recovery codes or SMS OTPs for session security.

The primary impact of this vulnerability is the potential for unauthorized session persistence despite MFA protections, which can lead to unauthorized access to user accounts and sensitive data. Organizations relying on parse-server for backend services that implement MFA recovery codes or SMS OTPs may find their session revocation mechanisms ineffective, increasing the risk of account compromise. This could facilitate lateral movement within networks or prolonged unauthorized access if attackers maintain active sessions. Although the CVSS score is low due to the requirement of valid credentials and high attack complexity, the risk is significant in environments where MFA tokens are considered a critical security control. The vulnerability undermines trust in MFA mechanisms, potentially leading to compliance issues and reputational damage if exploited. Since parse-server is widely used in various industries for mobile and web applications, the impact can be broad, affecting user privacy and application integrity.

The most effective mitigation is to upgrade parse-server to version 8.6.64 or later, or 9.7.0-alpha.8 or later, where the vulnerability is patched. Organizations should audit their current parse-server versions and plan immediate upgrades to eliminate the race condition. Additionally, monitoring login endpoints for unusual patterns of concurrent authentication requests can help detect exploitation attempts. Implementing rate limiting or request serialization on the authData login endpoint can reduce the risk of concurrent login abuse. Reviewing MFA token issuance and revocation logic to ensure atomicity and proper synchronization is recommended for custom forks or similar systems. Finally, educating users about the importance of safeguarding MFA recovery codes and OTPs remains critical, as possession of these tokens is a prerequisite for exploitation.