Skip to main content

Parse Dashboard

4 CVEs product

Monthly

CVE-2026-27610 npm HIGH PATCH This Week

Privilege escalation via cache key collision in Parse Dashboard (npm parse-dashboard) versions 7.3.0-alpha.42 through 9.0.0-alpha.7 allows an authenticated read-only user to obtain the full master key. The flaw lives in ConfigKeyCache, which reuses one cache entry for both the master key and the read-only master key when those keys are function-typed; under a timing race a read-only session can read back the cached full master key (or a regular user the read-only key). Exploitation requires an authenticated dashboard session and a non-default configuration (function-typed keys plus the agent block); no public exploit identified at time of analysis and EPSS is low (0.05%), but the GitHub Security Advisory and patch commit confirm the issue.

Information Disclosure Parse Dashboard
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-27609 npm HIGH PATCH This Week

Cross-site request forgery in Parse Dashboard (versions 7.3.0-alpha.42 through 9.0.0-alpha.7) lets a remote attacker abuse the unprotected AI Agent endpoint (POST /apps/:appId/agent), which lacks CSRF protection and a session-bound token. By luring an authenticated dashboard operator to a malicious web page, the attacker forces agent requests to execute under the victim's session, driving state-changing operations against managed Parse Server apps. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue is fixed in 9.0.0-alpha.8.

CSRF Parse Dashboard
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-27608 npm CRITICAL PATCH Act Now

Broken authorization in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets any authenticated user reach apps they are not scoped to and lets read-only users escalate to full read-write control. Present in versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the endpoint omits per-app authorization checks and hands read-only users the full master key, so an attacker can swap the app ID in the URL to act against other tenants and supply write permissions to perform write/delete operations. No public exploit is identified at time of analysis, and the EPSS probability is very low (0.03%), but it is trivially exploitable by any logged-in low-privilege user where the agent feature is enabled.

Authentication Bypass Parse Dashboard
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-27595 npm CRITICAL PATCH Act Now

Unauthenticated arbitrary database read/write in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets remote attackers operate against any connected Parse Server using the master key. Affected builds span the 7.3.0-alpha.42 through 9.0.0-alpha.7 pre-releases, but only deployments that have explicitly enabled the opt-in agent feature are exposed. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the chained authentication/CSRF/authorization gaps make exploitation trivial where the feature is configured.

CSRF Parse Dashboard Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.9
EPSS
0.0%
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation via cache key collision in Parse Dashboard (npm parse-dashboard) versions 7.3.0-alpha.42 through 9.0.0-alpha.7 allows an authenticated read-only user to obtain the full master key. The flaw lives in ConfigKeyCache, which reuses one cache entry for both the master key and the read-only master key when those keys are function-typed; under a timing race a read-only session can read back the cached full master key (or a regular user the read-only key). Exploitation requires an authenticated dashboard session and a non-default configuration (function-typed keys plus the agent block); no public exploit identified at time of analysis and EPSS is low (0.05%), but the GitHub Security Advisory and patch commit confirm the issue.

Information Disclosure Parse Dashboard
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-site request forgery in Parse Dashboard (versions 7.3.0-alpha.42 through 9.0.0-alpha.7) lets a remote attacker abuse the unprotected AI Agent endpoint (POST /apps/:appId/agent), which lacks CSRF protection and a session-bound token. By luring an authenticated dashboard operator to a malicious web page, the attacker forces agent requests to execute under the victim's session, driving state-changing operations against managed Parse Server apps. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue is fixed in 9.0.0-alpha.8.

CSRF Parse Dashboard
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Broken authorization in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets any authenticated user reach apps they are not scoped to and lets read-only users escalate to full read-write control. Present in versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the endpoint omits per-app authorization checks and hands read-only users the full master key, so an attacker can swap the app ID in the URL to act against other tenants and supply write permissions to perform write/delete operations. No public exploit is identified at time of analysis, and the EPSS probability is very low (0.03%), but it is trivially exploitable by any logged-in low-privilege user where the agent feature is enabled.

Authentication Bypass Parse Dashboard
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Unauthenticated arbitrary database read/write in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets remote attackers operate against any connected Parse Server using the master key. Affected builds span the 7.3.0-alpha.42 through 9.0.0-alpha.7 pre-releases, but only deployments that have explicitly enabled the opt-in agent feature are exposed. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the chained authentication/CSRF/authorization gaps make exploitation trivial where the feature is configured.

CSRF Parse Dashboard Authentication Bypass
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy