{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T07:00:00.256","vulnerabilities":[{"cve":{"id":"CVE-2026-32943","sourceIdentifier":"security-advisories@github.com","published":"2026-03-18T22:16:25.810","lastModified":"2026-03-19T16:55:36.633","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Starting in versions 9.6.0-alpha.28 and 8.6.48, the password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. There is no known workaround other than upgrading."},{"lang":"es","value":"Parse Server es un backend de código abierto que puede implementarse en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 9.6.0-alpha.28 y 8.6.48, el mecanismo de restablecimiento de contraseña no aplica garantías de un solo uso para los tokens de restablecimiento. Cuando un usuario solicita un restablecimiento de contraseña, el token generado puede ser consumido por múltiples solicitudes concurrentes dentro de una ventana de tiempo corta. Un atacante que ha interceptado un token de restablecimiento de contraseña puede competir con la solicitud de restablecimiento de contraseña del usuario legítimo, haciendo que ambas solicitudes tengan éxito. Esto puede resultar en que el usuario legítimo crea que su contraseña fue cambiada exitosamente mientras que la contraseña del atacante entra en vigor en su lugar. Todas las implementaciones de Parse Server que utilizan la función de restablecimiento de contraseña están afectadas. A partir de las versiones 9.6.0-alpha.28 y 8.6.48, el token de restablecimiento de contraseña ahora se valida y consume atómicamente como parte de la operación de actualización de contraseña. La consulta a la base de datos que actualiza la contraseña incluye el token de restablecimiento como una condición, asegurando que solo una solicitud concurrente pueda consumir exitosamente el token. Las solicitudes posteriores que utilicen el mismo token fallarán porque el token ya ha sido borrado. No existe una solución alternativa conocida aparte de la actualización."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-367"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionEndExcluding":"8.6.48","matchCriteriaId":"149CCB71-74B2-45AF-97B6-C88A17ACB94D"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.6.0","matchCriteriaId":"1BAC01F8-0899-482C-8D91-64671BF2859A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*","matchCriteriaId":"BBED261F-CA1B-44BC-9C3A-37378590EFEE"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*","matchCriteriaId":"418338C9-6AEC-492C-ACA4-9B3C0AAE149C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*","matchCriteriaId":"808B6482-BF8E-407D-8462-E757657CC323"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*","matchCriteriaId":"B84C28F8-AADE-41BB-A0EF-B701AB57DC3A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*","matchCriteriaId":"7567BB81-7837-4265-B792-6A9B73CECF93"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*","matchCriteriaId":"0035C6F1-21B9-42D1-BE29-690905F3558C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*","matchCriteriaId":"623FB30A-0693-4449-80FA-16D36B1BE66C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*","matchCriteriaId":"9B420167-CD3E-45A7-AD9A-0F83AEC634BA"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*","matchCriteriaId":"030A8626-DBBD-4BF2-B362-79B44FB1204D"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*","matchCriteriaId":"D38CFCC3-2AA9-4C8E-9064-FE97E6E8C45C"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*","matchCriteriaId":"65BB78F2-3A1A-4CD1-B8A8-4AB043B5CA50"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*","matchCriteriaId":"EDC98AF7-8620-4A25-9BE5-623672599677"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*","matchCriteriaId":"23E28E0F-9379-4628-B9DC-8C94A45902CF"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*","matchCriteriaId":"6631BE51-74FB-40C0-9E91-0EDF2DCADD7A"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*","matchCriteriaId":"8B0E4254-14A3-4EB6-9E98-CF45EB08B17F"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*","matchCriteriaId":"0FF63FDE-75F5-44B6-A958-CF653D84D3B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*","matchCriteriaId":"252B812D-A162-41C1-91CD-08D0CBAC5C46"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*","matchCriteriaId":"421691EA-F55A-4738-8ABD-74B53B6DF155"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*","matchCriteriaId":"5E7FAB59-142E-4191-9A6F-0744D810CD81"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*","matchCriteriaId":"B010F310-05A1-48AE-B002-8F4C7FA62EB3"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*","matchCriteriaId":"DF340605-8CC8-4543-9F5D-E8602D258CED"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*","matchCriteriaId":"A052DFCA-EDCC-43D7-82C7-E5311F6F7687"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*","matchCriteriaId":"12B11714-B961-4330-B241-FC5AF94FDBE8"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*","matchCriteriaId":"37A7C42B-4986-4BB6-BB27-0324A9AA1CFF"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*","matchCriteriaId":"C793834B-64B4-4DE9-BD7D-79B52C30C34E"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*","matchCriteriaId":"7AD455C8-88BE-4A0A-B33D-3A7811FFB753"},{"vulnerable":true,"criteria":"cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*","matchCriteriaId":"26C475A2-997C-4C3A-8CB6-04AB3534BBC3"}]}]}],"references":[{"url":"https://github.com/parse-community/parse-server/pull/10216","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/parse-community/parse-server/pull/10217","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}