CVE-2026-53726 Overview
CVE-2026-53726 is an authorization flaw in Parse Server, an open source Node.js backend used by mobile and web applications. The vulnerability allows an unauthenticated client holding only the public API credentials to read membership of a Relation field protected by protectedFields or class-level ACLs. By issuing a query with the $relatedTo operator against a known objectId, attackers can enumerate linked objects or use the operator as a membership oracle to confirm whether a specific object belongs to a private relation. The issue is tracked as [CWE-639] Authorization Bypass Through User-Controlled Key and is patched in versions 8.6.80 and 9.9.1-alpha.6.
Critical Impact
Unauthenticated attackers can disclose private relation memberships such as group rosters, block lists, or account-to-resource links using only public API keys.
Affected Products
- Parse Server versions prior to 8.6.80
- Parse Server 9.x versions prior to 9.9.1-alpha.6
- Applications relying on protectedFields or object ACLs to keep Relation fields confidential
Discovery Timeline
- 2026-06-12 - CVE-2026-53726 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-53726
Vulnerability Analysis
Parse Server exposes a query operator named $relatedTo that returns objects linked to a parent through a Relation field. The authorization check on this path does not honor the protectedFields configuration or the parent object's ACL when evaluating the relation. As a result, the server resolves and returns membership data even when the requesting client has no read permission on the parent object or the relation field itself.
The operator accepts a parent objectId, a class name, and the name of the Relation field. When the operator is used with an additional objectId constraint on the target side, the server reveals whether that specific object is linked to the parent. This converts the bug into a membership oracle, allowing attackers to confirm associations one object at a time.
Applications that store private group memberships, block lists, follower lists, or account-to-resource links inside Relation fields are directly exposed. The exposure is limited to confidentiality of relation membership and does not affect integrity or availability.
Root Cause
The relation resolution code path skips the field-level and object-level authorization checks that the rest of the query pipeline enforces. protectedFields is applied to projected attributes on the returned object but is not applied when the field is dereferenced through $relatedTo. Object ACL checks on the parent are likewise bypassed during the join.
Attack Vector
The attack requires only the public application ID and client key that Parse mobile and web clients ship with. No user session, master key, or Cloud Code execution is needed. An attacker who knows or guesses a parent objectId issues a standard REST or SDK query containing a $relatedTo constraint and receives the linked objects in the response body. The vulnerability manifests in the relation query handler. See the GitHub Security Advisory GHSA-wmwx-jr2p-4j4r for technical details.
Detection Methods for CVE-2026-53726
Indicators of Compromise
- HTTP requests to /parse/classes/<ClassName> containing a $relatedTo operator in the where parameter against objects the requesting session has no ACL to read
- Bursts of $relatedTo queries from a single client iterating across objectId values, indicating membership oracle abuse
- Anonymous or unauthenticated sessions issuing relation queries against classes that normally require authenticated reads
Detection Strategies
- Inspect Parse Server access logs for $relatedTo query operators correlated with unauthenticated session tokens
- Compare query response sizes against the requesting client's ACL scope to flag responses that include objects outside expected permissions
- Alert on classes containing private Relation fields when accessed without a valid _SessionToken header
Monitoring Recommendations
- Forward Parse Server and reverse proxy logs to a centralized analytics platform and retain query parameter fields for at least 90 days
- Build dashboards that track $relatedTo query volume per client IP and per application key to surface enumeration patterns
- Review CloudFront, NGINX, or API gateway logs for repeated requests differing only in objectId values targeting the same Relation field
How to Mitigate CVE-2026-53726
Immediate Actions Required
- Upgrade Parse Server to version 8.6.80 or 9.9.1-alpha.6 or later as published in GitHub Pull Request #10493 and GitHub Pull Request #10494
- Audit application schemas for classes that use Relation fields to store confidential associations such as memberships, block lists, or follower lists
- Rotate the public client key if logs show suspicious $relatedTo enumeration activity prior to patching
Patch Information
The Parse Server maintainers shipped fixes in versions 8.6.80 and 9.9.1-alpha.6. The patches extend the relation query authorization check to honor protectedFields and parent object ACLs before resolving membership. Refer to the GitHub Security Advisory GHSA-wmwx-jr2p-4j4r for the full advisory.
Workarounds
- Restrict find and get class-level permissions on classes that own private Relation fields so unauthenticated clients cannot issue queries
- Move confidential membership data out of Relation fields and into a Cloud Code function that performs explicit authorization checks before returning results
- Place a reverse proxy or WAF rule in front of Parse Server that rejects requests containing $relatedTo in the where clause when no _SessionToken header is present
# Configuration example
npm install parse-server@8.6.80
# or for the 9.x line
npm install parse-server@9.9.1-alpha.6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

