GHSA-WMWX-JR2P-4J4R

Vulnerability from github – Published: 2026-06-19 19:35 – Updated: 2026-06-19 19:35
VLAI
Summary
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Details

Impact

A relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed.

As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations.

Patches

The relation query path now authorizes $relatedTo against the owning object before reading the relation join table, using the caller's authentication context. The relation key is checked against the owning class's protectedFields (the query is rejected if the key is protected), and the owning object must be readable by the caller under its class-level permissions, ACL, and pointer permissions; otherwise the relation returns no results. Master and maintenance requests are unaffected. The check is applied consistently whether $relatedTo is used at the top level or nested within $or, $and, or $nor.

Workarounds

There is no complete workaround without upgrading. As mitigation, applications can avoid exposing sensitive membership through Relation fields to untrusted clients, or enforce access on the queried class in a beforeFind trigger.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.9.1-alpha.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.80"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:35:19Z",
    "nvd_published_at": "2026-06-12T19:16:30Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA relation query using the `$relatedTo` operator could read the membership of a `Relation` field even when that field was hidden from the requesting client by `protectedFields`, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry \u2014 no user session, master key, or Cloud Code is needed.\n\nAs a result, an unauthenticated client who knows or obtains the owning object\u0027s `objectId` could enumerate the objects linked through a protected relation, or combine the operator with an `objectId` constraint to use it as a membership oracle \u2014 confirming whether a specific object is linked to a private parent. This affects applications that rely on `protectedFields` or object ACLs to keep `Relation` membership confidential, such as private group memberships, block lists, or account-to-resource associations.\n\n### Patches\n\nThe relation query path now authorizes `$relatedTo` against the owning object before reading the relation join table, using the caller\u0027s authentication context. The relation key is checked against the owning class\u0027s `protectedFields` (the query is rejected if the key is protected), and the owning object must be readable by the caller under its class-level permissions, ACL, and pointer permissions; otherwise the relation returns no results. Master and maintenance requests are unaffected. The check is applied consistently whether `$relatedTo` is used at the top level or nested within `$or`, `$and`, or `$nor`.\n\n### Workarounds\n\nThere is no complete workaround without upgrading. As mitigation, applications can avoid exposing sensitive membership through `Relation` fields to untrusted clients, or enforce access on the queried class in a `beforeFind` trigger.",
  "id": "GHSA-wmwx-jr2p-4j4r",
  "modified": "2026-06-19T19:35:19Z",
  "published": "2026-06-19T19:35:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wmwx-jr2p-4j4r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10493"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10494"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…