CVE-2026-27595
published 2026-02-25CVE-2026-27595: Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.45%
35.9th percentile
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.
Affected
137 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-dashboard | — | — |
| parse-community | parse-dashboard | >= 7.3.0-alpha.42 < 9.0.0-alpha.8 | 9.0.0-alpha.8 |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
| parseplatform | parse_dashboard | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Parse Dashboard has incomplete authentication on AI Agent endpoint
osv·2026-02-25
CVE-2026-27595 [CRITICAL] Parse Dashboard has incomplete authentication on AI Agent endpoint
Parse Dashboard has incomplete authentication on AI Agent endpoint
### Impact
The AI Agent API endpoint (POST `/apps/:appId/agent`) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.
### Patches
The fix adds authentication middleware to the agent endpoint.
### Workarounds
Remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
### Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
GHSA
Parse Dashboard has incomplete authentication on AI Agent endpoint
ghsa·2026-02-25
CVE-2026-27595 [CRITICAL] CWE-306 Parse Dashboard has incomplete authentication on AI Agent endpoint
Parse Dashboard has incomplete authentication on AI Agent endpoint
### Impact
The AI Agent API endpoint (POST `/apps/:appId/agent`) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.
### Patches
The fix adds authentication middleware to the agent endpoint.
### Workarounds
Remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
### Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
No detection rules found.
No public exploits indexed.
2026-02-25
Published