diff --git a/spec/ProtectedFields.spec.js b/spec/ProtectedFields.spec.js
index fbfc5bf296..ba8ce1e8eb 100644
--- a/spec/ProtectedFields.spec.js
+++ b/spec/ProtectedFields.spec.js
@@ -2368,4 +2368,37 @@ describe('ProtectedFields', function () {
       expect(response.data.secretField).toBeUndefined();
     });
   });
+
+  describe('maintenance auth', function () {
+    it('should allow maintenance auth to query using protected fields as WHERE keys', async function () {
+      await reconfigureServer({
+        protectedFields: { _User: { '*': ['email', 'emailVerified'] } },
+        protectedFieldsOwnerExempt: false,
+      });
+
+      const user = new Parse.User();
+      user.setUsername('testuser');
+      user.setPassword('password');
+      user.setEmail('test@example.com');
+      await user.signUp();
+
+      // Query using a protected field as a WHERE key with maintenance auth
+      const Auth = require('../lib/Auth');
+      const Config = require('../lib/Config');
+      const RestQuery = require('../lib/RestQuery');
+      const config = Config.get('test');
+      const maintenanceAuth = Auth.maintenance(config);
+      const query = await RestQuery({
+        method: RestQuery.Method.get,
+        config,
+        auth: maintenanceAuth,
+        className: '_User',
+        restWhere: { email: 'test@example.com' },
+        runBeforeFind: false,
+      });
+      const result = await query.execute();
+      expect(result.results.length).toBe(1);
+      expect(result.results[0].objectId).toBe(user.id);
+    });
+  });
 });
diff --git a/src/RestQuery.js b/src/RestQuery.js
index 29efa2caa1..b69230b9d5 100644
--- a/src/RestQuery.js
+++ b/src/RestQuery.js
@@ -896,7 +896,7 @@ _UnsafeRestQuery.prototype.runCount = function () {
 };
 
 _UnsafeRestQuery.prototype.denyProtectedFields = async function () {
-  if (this.auth.isMaster) {
+  if (this.auth.isMaster || this.auth.isMaintenance) {
     return;
   }
   const schemaController = await this.config.database.loadSchema();