CRITICAL🇵🇱 Wersja polska

CVE-2026-27595

CVSS 9.9v4.0pub. 2026-02-25upd. 2026-06-26

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.

🤖 AI Analysis
How it works

The POST endpoint `/apps/:appId/agent` required no authentication or CSRF validation, allowing any network user to call it directly. The attacker could chain multiple vulnerabilities: lack of per-application authorization mechanism, absence of session authentication, and cache key collision error between master key and read-only master key. The result of this chain of vulnerabilities was gaining access to database operations with master key privileges. The AI Agent feature is optional — dashboards without a configured agent block are not vulnerable.

Impact

An unauthenticated remote attacker can perform arbitrary read and write operations on any Parse Server database connected to the vulnerable dashboard, including modifying, deleting, or exfiltrating all application data.

Mitigation & patch

Parse Dashboard must be updated to version 9.0.0-alpha.8 or later, which adds authentication, CSRF validation, and per-application authorization middleware for the agent endpoint. As a temporary workaround, remove or comment out the agent configuration block in the Parse Dashboard configuration file.

Who is affected

Parseplatform Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 (inclusive) with active agent block configuration.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Parseplatform Parse Dashboard

    APP
    Parseplatform
    7.3.07.4.07.5.07.6.08.0.08.1.08.1.18.2.08.3.08.4.08.4.18.5.09.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-27608CRITICAL9.3PL ✓ten sam produkt

Parse Dashboard: brak autoryzacji w endpoint AI Agent API (CVE-2026-27608)

CVE-2026-27609HIGH8.3ten sam produkt

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9...

CVE-2026-27610HIGH7.0ten sam produkt

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9...

CVE-2026-34532CRITICAL9.1PL ✓ten sam vendor

Parse Server: obejście walidatorów Cloud Functions przez prototype chain

CVE-2026-32242CRITICAL9.1PL ✓ten sam vendor

Race condition w Parse Server — błędna walidacja tokenów OAuth2