Authentication Bypass Vulnerability in Parse Server by Parse Community
CVE-2026-53726
What is CVE-2026-53726?
An issue exists within Parse Server that allows an unauthenticated client to exploit a relation query utilizing the $relatedTo operator. This enables them to access the membership of a Relation field, even if the field is set as hidden through protectedFields. Moreover, the vulnerability permits access when the owning object is not readable due to ACL or class-level permissions. By simply having the public API credentials typical of Parse clients, an unauthenticated user can discover linked objects through a protected relation. This can compromise the confidentiality of private group memberships or resource associations. The issue has been fixed in versions 8.6.80 and 9.9.1-alpha.6.
Affected Version(s)
parse-server < 8.6.80 < 8.6.80
parse-server >= 9.0.0, < 9.9.1-alpha.6 < 9.0.0, 9.9.1-alpha.6
