CVE-2026-53726: CVE-2026-53726: Authorization Bypass in Parse Server Relation Queries ($relatedTo)

#security #cve #cybersecurity

CVE-2026-53726: Authorization Bypass in Parse Server Relation Queries ($relatedTo)

Vulnerability ID: CVE-2026-53726
CVSS Score: 6.9
Published: 2026-06-19

Parse Server prior to versions 8.6.80 and 9.9.1-alpha.6 contains an authorization bypass vulnerability in its relation query handling. A database query utilizing the $relatedTo operator can read the membership details of a Relation field even when that field is hidden via protectedFields or restricted by object-level Access Control Lists (ACLs).

TL;DR

An unauthenticated remote attacker can bypass relation-level access controls and object-level ACLs using the $relatedTo query operator to extract private membership data and map relational structures.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-639: Authorization Bypass Through User-Controlled Key
Attack Vector: Network (Remote, Public API)
CVSS v4.0 Score: 6.9 (Medium)
EPSS Score: 0.00276
Exploit Status: PoC Available (Unit/Integration Tests)
KEV Status: Not Listed

Affected Systems

Parse Server deployments
parse-server: < 8.6.80 (Fixed in: 8.6.80)
parse-server: >= 9.0.0, < 9.9.1-alpha.6 (Fixed in: 9.9.1-alpha.6)

Mitigation Strategies

Upgrade to patched versions of Parse Server
Implement Cloud Code beforeFind validation for $relatedTo parameters
Refactor direct Relations to intermediate join-class collections with CLP limits

Remediation Steps:

Identify vulnerable parse-server dependency versions in package.json
Update package dependency version constraint to require parse-server >= 8.6.80 or >= 9.9.1-alpha.6
Execute npm update parse-server to fetch the secure builds
Verify query path execution using restrictive Class-Level Permissions (CLPs) and integration tests

References

Read the full report for CVE-2026-53726 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community