SB2026063050 - Authorization bypass through user-controlled key in Parse Server



SB2026063050 - Authorization bypass through user-controlled key in Parse Server

Published: June 30, 2026

Security Bulletin ID SB2026063050
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-53726)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to authorization bypass through a user-controlled key in the $relatedTo relation query handler when processing relation queries. A remote attacker can send a specially crafted query referencing an owning object's objectId to disclose sensitive information.

The issue can expose relation membership even when the relation field is hidden by protectedFields and the owning object is not readable under ACL or class-level permissions.


Remediation

Install update from vendor's website.