CVE-2026-27608

HIGH

Parse Dashboard 7.3.0-9.0.0 - Auth Bypass

Title source: llm
STIX 2.1

Description

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0004
EPSS Percentile 11.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (9)
npm/parse-dashboard 7.3.0-alpha.42 - 9.0.0-alpha.8npm
parseplatform/parse_dashboard 7.3.0 alpha.42 (8 CPE variants)
parseplatform/parse_dashboard 7.4.0 alpha.1 (5 CPE variants)
parseplatform/parse_dashboard 7.5.0 alpha.1 (2 CPE variants)
parseplatform/parse_dashboard 7.6.0 alpha.1 (13 CPE variants)
parseplatform/parse_dashboard 8.0.0 alpha.1 (6 CPE variants)
parseplatform/parse_dashboard 8.1.0 alpha.1 (13 CPE variants)
parseplatform/parse_dashboard 8.1.1 alpha.1
parseplatform/parse_dashboard 8.2.0 alpha.1
Published Feb 25, 2026
Tracked Since Feb 25, 2026