Skip to main content

Parse Dashboard CVE-2026-27595

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-02-25 security-advisories@github.com GHSA-qwc3-h9mg-4582
9.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.9 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Remote unauthenticated endpoint with no user interaction (AV:N/AC:L/PR:N/UI:N); master-key actions on the separate Parse Server justify S:C with high confidentiality/integrity and no availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 26, 2026 - 17:15 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 26, 2026 - 17:14 vuln.today
Analysis Updated
Jun 26, 2026 - 17:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 17:07 NVD
HIGH CRITICAL
CVSS changed
Jun 26, 2026 - 17:07 NVD
7.5 (HIGH) 9.9 (CRITICAL)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 25, 2026 - 03:16 nvd
HIGH 7.5

DescriptionCVE.org

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST /apps/:appId/agent) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the readOnlyMasterKey with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.

AnalysisAI

Unauthenticated arbitrary database read/write in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets remote attackers operate against any connected Parse Server using the master key. Affected builds span the 7.3.0-alpha.42 through 9.0.0-alpha.7 pre-releases, but only deployments that have explicitly enabled the opt-in agent feature are exposed. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the chained authentication/CSRF/authorization gaps make exploitation trivial where the feature is configured.

Technical ContextAI

Parse Dashboard is the standalone Node.js web admin UI for managing Parse Server backend apps. The flaw is rooted in CWE-306 (Missing Authentication for Critical Function): the AI Agent route was wired into the dashboard without the authentication, CSRF, and per-app authorization middleware that protects other privileged operations. Because the agent acts on behalf of the dashboard with the Parse Server master key, a request reaching the endpoint inherits full, ACL-bypassing master-key privileges over the connected database. A secondary defect - a cache key collision between the master key and the read-only master key - further weakened the read-only privilege boundary. CPE data confirms the affected component as cpe:2.3:a:parseplatform:parse_dashboard across the 7.3.0-alpha and 7.4.0-alpha node.js builds.

RemediationAI

Vendor-released patch: 9.0.0-alpha.8 - upgrade the parse-dashboard npm package to 9.0.0-alpha.8 or later, which adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint, restricts read-only users to the readOnlyMasterKey with write permissions stripped server-side, and fixes the master-key/read-only-master-key cache collision (commit f92a9ef5246d57e51696bd881a15f3b133b2bb50). If you cannot upgrade immediately, the vendor-supported workaround is to remove or comment out the entire agent configuration block from your Parse Dashboard configuration; dashboards without an agent config are not affected. The trade-off of the workaround is loss of the AI agent functionality, which is acceptable since the feature is opt-in. Refer to advisory GHSA-qwc3-h9mg-4582 (https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582) and the release at https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8.

Share

CVE-2026-27595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy