Authentication Bypass Vulnerability in Parse Server by Parse Community
CVE-2026-53726

6.9MEDIUM

Key Information:

Vendor
CVE Published:
12 June 2026

What is CVE-2026-53726?

An issue exists within Parse Server that allows an unauthenticated client to exploit a relation query utilizing the $relatedTo operator. This enables them to access the membership of a Relation field, even if the field is set as hidden through protectedFields. Moreover, the vulnerability permits access when the owning object is not readable due to ACL or class-level permissions. By simply having the public API credentials typical of Parse clients, an unauthenticated user can discover linked objects through a protected relation. This can compromise the confidentiality of private group memberships or resource associations. The issue has been fixed in versions 8.6.80 and 9.9.1-alpha.6.

Affected Version(s)

parse-server < 8.6.80 < 8.6.80

parse-server >= 9.0.0, < 9.9.1-alpha.6 < 9.0.0, 9.9.1-alpha.6

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.