CVE-2026-43930: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in parse-community parse-server
A race condition vulnerability in parse-community's parse-server prior to versions 8. 6. 76 and 9. 9. 0-alpha. 2 allows two concurrent login requests using the same SMS one-time password (OTP) to both succeed, violating the intended single-use property of the OTP. Exploitation requires possession of the victim's password and interception of the active SMS OTP, making the attack surface narrow. This issue is fixed in versions 8. 6. 76 and 9.
AI Analysis
Technical Summary
Parse Server versions before 8.6.76 and 9.9.0-alpha.2 contain a race condition in the multi-factor authentication (MFA) SMS OTP login flow. Specifically, two concurrent /login requests with the same OTP can both succeed and generate valid session tokens, breaking the single-use constraint of the OTP. Successful exploitation requires the attacker to have the victim's password and to intercept the SMS OTP (e.g., via SIM swap or phishing). The vulnerability is identified as CWE-362 (race condition). The issue is resolved in versions 8.6.76 and 9.9.0-alpha.2.
Potential Impact
The vulnerability allows an attacker who already has the victim's password and can intercept the SMS OTP to reuse the OTP multiple times concurrently, potentially enabling multiple valid sessions. This undermines the security of the MFA mechanism by breaking the single-use guarantee of OTPs. However, the attack requires significant preconditions, limiting practical exploitation. The CVSS 4.0 score is low (2.1), reflecting the narrow attack vector and required privileges.
Mitigation Recommendations
Upgrade parse-server to version 8.6.76 or later, or 9.9.0-alpha.2 or later, where this race condition vulnerability is fixed. No other mitigation is indicated or necessary as the fix is available in these versions.
CVE-2026-43930: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in parse-community parse-server
Description
A race condition vulnerability in parse-community's parse-server prior to versions 8. 6. 76 and 9. 9. 0-alpha. 2 allows two concurrent login requests using the same SMS one-time password (OTP) to both succeed, violating the intended single-use property of the OTP. Exploitation requires possession of the victim's password and interception of the active SMS OTP, making the attack surface narrow. This issue is fixed in versions 8. 6. 76 and 9.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Parse Server versions before 8.6.76 and 9.9.0-alpha.2 contain a race condition in the multi-factor authentication (MFA) SMS OTP login flow. Specifically, two concurrent /login requests with the same OTP can both succeed and generate valid session tokens, breaking the single-use constraint of the OTP. Successful exploitation requires the attacker to have the victim's password and to intercept the SMS OTP (e.g., via SIM swap or phishing). The vulnerability is identified as CWE-362 (race condition). The issue is resolved in versions 8.6.76 and 9.9.0-alpha.2.
Potential Impact
The vulnerability allows an attacker who already has the victim's password and can intercept the SMS OTP to reuse the OTP multiple times concurrently, potentially enabling multiple valid sessions. This undermines the security of the MFA mechanism by breaking the single-use guarantee of OTPs. However, the attack requires significant preconditions, limiting practical exploitation. The CVSS 4.0 score is low (2.1), reflecting the narrow attack vector and required privileges.
Mitigation Recommendations
Upgrade parse-server to version 8.6.76 or later, or 9.9.0-alpha.2 or later, where this race condition vulnerability is fixed. No other mitigation is indicated or necessary as the fix is available in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T16:59:09.089Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0333e5cbff5d8610ef1d3e
Added to database: 5/12/2026, 2:06:29 PM
Last enriched: 5/12/2026, 2:21:54 PM
Last updated: 5/12/2026, 5:45:09 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.