CVE-2026-53726

Source
https://cve.org/CVERecord?id=CVE-2026-53726
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53726.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53726
Aliases
Published
2026-06-12T18:37:01.695Z
Modified
2026-07-08T08:12:41.210125494Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53726.json"
}
References

Affected packages

Git / github.com/parse-community/parse-server

Affected ranges

Type
GIT
Repo
https://github.com/parse-community/parse-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.6.80"
        },
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.9.1-alpha.6"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.2
2.2.20
2.2.21
2.2.22
2.2.23
2.2.24
2.2.25
2.2.25-beta.1
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.8.0
2.8.2
3.*
3.0.0
3.1.0
3.1.1
3.1.2
3.1.3
3.10.0
3.2.0
3.2.1
3.2.2
3.2.3
3.3.0
3.4.0
3.4.1
3.5.0
3.6.0
3.7.0
3.7.1
3.7.2
3.8.0
3.9.0
4.*
4.0.0
4.0.1
4.0.2
4.1.0
4.2.0
4.3.0
4.4.0
4.5.0
5.*
5.0.0
5.0.0-alpha.1
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0
6.*
6.0.0
6.1.0
6.2.0
6.2.1
6.2.2
6.3.0
6.3.1
6.4.0
7.*
7.0.0
7.1.0
7.2.0
7.3.0
7.4.0
8.*
8.0.0
8.0.1
8.0.2
8.1.0
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.3.0
8.4.0
8.5.0
8.6.0
8.6.1
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15
8.6.16
8.6.17
8.6.18
8.6.19
8.6.2
8.6.20
8.6.21
8.6.22
8.6.23
8.6.24
8.6.25
8.6.26
8.6.27
8.6.28
8.6.29
8.6.3
8.6.30
8.6.31
8.6.32
8.6.33
8.6.34
8.6.35
8.6.36
8.6.37
8.6.38
8.6.39
8.6.4
8.6.40
8.6.41
8.6.42
8.6.43
8.6.44
8.6.45
8.6.46
8.6.47
8.6.48
8.6.49
8.6.5
8.6.50
8.6.51
8.6.52
8.6.53
8.6.54
8.6.55
8.6.56
8.6.57
8.6.58
8.6.59
8.6.6
8.6.60
8.6.61
8.6.62
8.6.63
8.6.64
8.6.65
8.6.66
8.6.67
8.6.68
8.6.69
8.6.7
8.6.70
8.6.71
8.6.72
8.6.73
8.6.74
8.6.75
8.6.76
8.6.77
8.6.78
8.6.79
8.6.8
8.6.9
9.*
9.0.0
9.1.0
9.1.1
9.2.0
9.3.0
9.3.1
9.4.0
9.4.1
9.5.0
9.5.1
9.6.0
9.6.1
9.7.0
9.8.0
9.9.0
9.9.1-alpha.1
9.9.1-alpha.2
9.9.1-alpha.3
9.9.1-alpha.4
9.9.1-alpha.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53726.json"