Authorization bypass through user-controlled key in Parse Server - CVE-2026-53726

 

Authorization bypass through user-controlled key in Parse Server - CVE-2026-53726

Published: June 30, 2026


Vulnerability identifier: #VU135969
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-53726
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to authorization bypass through a user-controlled key in the $relatedTo relation query handler when processing relation queries. A remote attacker can send a specially crafted query referencing an owning object's objectId to disclose sensitive information.

The issue can expose relation membership even when the relation field is hidden by protectedFields and the owning object is not readable under ACL or class-level permissions.


How to mitigate CVE-2026-53726

Install security update from vendor's website.

Sources