Summary
Workarounds
There is no complete workaround without upgrading. As mitigation, applications can avoid exposing sensitive membership through Relation fields to untrusted clients, or enforce access on the queried class in a beforeFind trigger.
Impact
A relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry, no user session, master key, or Cloud Code is needed.
As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle, confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The relation query path now authorizes $relatedTo against the owning object before reading the relation join table, using the caller's authentication context. The relation key is checked against the owning class's protectedFields (the query is rejected if the key is protected), and the owning object must be readable by the caller under its class-level permissions, ACL, and pointer permissions; otherwise the relation returns no results. Master and maintenance requests are unaffected. The check is applied consistently whether $relatedTo is used at the top level or nested within $or, $and, or $nor.
Frequently Asked Questions
- What is CVE-2026-53726? CVE-2026-53726 is a medium-severity security vulnerability in parse-server (npm), affecting versions >= 9.0.0, < 9.9.1-alpha.6. It is fixed in 9.9.1-alpha.6, 8.6.80.
- Which versions of parse-server are affected by CVE-2026-53726? parse-server (npm) versions >= 9.0.0, < 9.9.1-alpha.6 is affected.
- Is there a fix for CVE-2026-53726? Yes. CVE-2026-53726 is fixed in 9.9.1-alpha.6, 8.6.80. Upgrade to this version or later.
- Is CVE-2026-53726 exploitable, and should I be worried? Whether CVE-2026-53726 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-53726 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-53726?
- Upgrade
parse-serverto 9.9.1-alpha.6 or later - Upgrade
parse-serverto 8.6.80 or later
- Upgrade