CVE-2026-31875: Parse Server's MFA recovery codes not consumed after use
When multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts.
An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated.
References
- github.com/advisories/GHSA-4hf6-3x24-c9m8
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.33
- github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7
- github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8
- nvd.nist.gov/vuln/detail/CVE-2026-31875
Code Behaviors & Features
Detect and mitigate CVE-2026-31875 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →