3 matches found
CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...
CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...
Improper Authentication Control
Filament is vulnerable to improper authentication control. The vulnerability is due to improper handling of app-based MFA recovery codes, which allows an attacker to reuse the same recovery code indefinitely to bypass authentication...