CVE-2026-27608
HIGH
GHSA-cvwj-6c9h-jg6v
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
Analysis
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to properly authorize access to the AI Agent API endpoint, allowing authenticated users to access other apps' agent functionalities and read-only users to escalate privileges by obtaining the master key with write permissions. Attackers can exploit this to read, modify, or delete data across any app on affected Parse Server instances where agent configuration is enabled. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all instances of Parse Dashboard in use and document versions deployed; implement network-level access controls to restrict POST requests to /apps/*/agent endpoints. Within 7 days: Evaluate upgrade feasibility to version 9.0.0-alpha.8 or later once available; contact Parse Server vendor for patch timeline and interim guidance. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today