CVE-2026-32943: Parse Server has a password reset token single-use bypass via concurrent requests
(updated )
The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user’s password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker’s password takes effect instead.
All Parse Server deployments that use the password reset feature are affected.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-32943 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →