Main Vulnerability Database SB2026040758

SB2026040758 - Operation on a Resource after Expiration or Release in Parse Server

Published: April 7, 2026

Security Bulletin ID SB2026040758

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Operation on a Resource after Expiration or Release (CVE-ID: CVE-2026-31875)

The vulnerability allows a remote attacker to repeatedly authenticate as an affected user.

The vulnerability exists due to operation on a resource after expiration or release in the MFA recovery code handling logic when validating recovery codes during login. A remote attacker can use an obtained recovery code multiple times to repeatedly authenticate as an affected user.

The issue affects accounts with TOTP-based multi-factor authentication enabled, and exploitation requires obtaining a valid recovery code.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8