CVE-2026-53726
published 2026-06-12CVE-2026-53726: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation…
PriorityP343medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.28%
19.3th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.80 | 8.6.80 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.80 | 8.6.80 |
| parse-community | parse-server | >= 9.0.0 < 9.9.1-alpha.6 | 9.9.1-alpha.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
ghsa·2026-06-19
CVE-2026-53726 [MEDIUM] CWE-639 parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
### Impact
A relation query using the `$relatedTo` operator could read the membership of a `Relation` field even when that field was hidden from the requesting client by `protectedFields`, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed.
As a result, an unauthenticated client who knows or obtains the owning object's `objectId` could enumerate the objects linked through a protected relation, or combine the operator with an `objectId` constraint to use it as a membership oracle — confirming
VulDB
parse-community parse-server up to 8.6.79/9.9.1-alpha.5 Private Group relatedTo authorization (GHSA-wmwx-jr2p-4j4r)
vuldb·2026-06-12·CVSS 6.9
CVE-2026-53726 [MEDIUM] parse-community parse-server up to 8.6.79/9.9.1-alpha.5 Private Group relatedTo authorization (GHSA-wmwx-jr2p-4j4r)
A vulnerability was found in parse-community parse-server up to 8.6.79/9.9.1-alpha.5. It has been rated as problematic. This issue affects some unknown processing of the component Private Group Handler. Performing a manipulation of the argument relatedTo results in authorization bypass.
This vulnerability is identified as CVE-2026-53726. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published