Authorization bypass through user-controlled key in Parse Server - CVE-2026-53726
Published: June 30, 2026
Parse Server
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in the $relatedTo relation query handler when processing relation queries. A remote attacker can send a specially crafted query referencing an owning object's objectId to disclose sensitive information.
The issue can expose relation membership even when the relation field is hidden by protectedFields and the owning object is not readable under ACL or class-level permissions.