CVE-2026-32943
published 2026-03-18CVE-2026-32943: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset…
PriorityP414low3.1CVSS 3.1
AVNACHPRNUIRSUCNILAN
EPSS
0.21%
10.9th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Starting in versions 9.6.0-alpha.28 and 8.6.48, the password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. There is no known workaround other than upgrading.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.48 | 8.6.48 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.48 | 8.6.48 |
| parse-community | parse-server | >= 9.0.0 < 9.6.0-alpha.28 | 9.6.0-alpha.28 |
| parseplatform | parse-server | < 8.6.48 | 8.6.48 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | >= 9.0.0 < 9.6.0 | 9.6.0 |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Parse Server has a password reset token single-use bypass via concurrent requests
osv·2026-03-17
CVE-2026-32943 [LOW] Parse Server has a password reset token single-use bypass via concurrent requests
Parse Server has a password reset token single-use bypass via concurrent requests
### Impact
The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead.
All Parse Server deployments that use the password reset feature are affected.
### Patches
The password reset token is now atomically validated and consumed as part of the password update operatio
GHSA
Parse Server has a password reset token single-use bypass via concurrent requests
ghsa·2026-03-17
CVE-2026-32943 [LOW] CWE-367 Parse Server has a password reset token single-use bypass via concurrent requests
Parse Server has a password reset token single-use bypass via concurrent requests
### Impact
The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead.
All Parse Server deployments that use the password reset feature are affected.
### Patches
The password reset token is now atomically validated and consumed as part of the password update operatio
No detection rules found.
No public exploits indexed.
2026-03-18
Published