Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A relation query using the $relatedTo operator in Parse Server can read the membership of a Relation field even when the field is hidden by protectedFields and even when the owning object is not readable by the client under its ACL or class-level permissions. The attacker only requires the public API credentials that Parse clients normally carry and can enumerate objects linked through a protected relation or confirm whether a specific object is linked to a private parent. This enables the unauthorized disclosure of sensitive information such as private group memberships, block lists, or account-to-resource associations.

Affected Systems

Applications running parse-community parse-server versions prior to 8.6.80 or 9.9.1-alpha.6 are affected. The vulnerability applies to any deployment of Parse Server that relies on protectedFields or object ACLs to keep Relation membership confidential.

Risk and Exploitability

The CVSS score of 6.9 places the issue in the medium severity range, but the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA's KEV catalog, suggesting no widespread exploitation has been reported. An unauthenticated attacker with knowledge or guess of an owning object's objectId can exploit the flaw by making a $relatedTo query, which serves as a membership oracle for private data. The attack vector is straightforward and requires no special privileges beyond the public API key.

Generated by OpenCVE AI on June 12, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.80 or later, or 9.9.1-alpha.6 or later, which contains the fix for the $relatedTo query bypass.
  • If an immediate upgrade is not possible, implement a custom validation layer in Cloud Code or the application front-end to block use of the $relatedTo operator for protected classes until the patch is applied.
  • Confirm that protectedFields and ACLs are correctly configured and review application logic for any assumptions about data confidentiality that could be violated by bypassed Relation queries.

Generated by OpenCVE AI on June 12, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6.
Title Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:57:06.731Z

Reserved: 2026-06-10T16:43:31.242Z

Link: CVE-2026-53726

cve-icon Vulnrichment

Updated: 2026-06-12T18:57:01.341Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:30.510

Modified: 2026-06-12T19:16:30.510

Link: CVE-2026-53726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:45:27Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key