SB2026063050 - Authorization bypass through user-controlled key in Parse Server
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-53726)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in the $relatedTo relation query handler when processing relation queries. A remote attacker can send a specially crafted query referencing an owning object's objectId to disclose sensitive information.
The issue can expose relation membership even when the relation field is hidden by protectedFields and the owning object is not readable under ACL or class-level permissions.
Remediation
Install update from vendor's website.