AIKIDO-2026-11107
parse-server is vulnerable to Authorization Bypass
69
Medium Risk
This Affects:
parse-serverTL;DR
Parse Server's database controller resolves relation queries that use the $relatedTo operator. Such queries could read the membership of a Relation field even when that field was hidden from the client by protectedFields, and they bypassed the owning object's ACL and class-level permissions. An unauthenticated client that knew an object's ID could enumerate linked objects or confirm specific relationships, acting as a membership oracle for objects it could not otherwise read. The fix adds an authorization check that denies $relatedTo queries on protected relation fields and verifies the caller can read the owning object before returning related objects.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
parse-server is vulnerable to Authorization Bypass in versions 0.0.1 - 8.6.79 and 9.0.0 - 9.9.1-alpha.5.
How to fix this
Upgrade the parse-server library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant