GHSA-QWC3-H9MG-4582
Vulnerability from github – Published: 2026-02-25 18:37 – Updated: 2026-02-25 18:37
VLAI?
Summary
Parse Dashboard has incomplete authentication on AI Agent endpoint
Details
Impact
The AI Agent API endpoint (POST /apps/:appId/agent) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.
Patches
The fix adds authentication middleware to the agent endpoint.
Workarounds
Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.
Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-dashboard"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.0-alpha.42"
},
{
"fixed": "9.0.0-alpha.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27595"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T18:37:53Z",
"nvd_published_at": "2026-02-25T03:16:04Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe AI Agent API endpoint (POST `/apps/:appId/agent`) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.\n\n### Patches\n\nThe fix adds authentication middleware to the agent endpoint.\n\n### Workarounds\n\nRemove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.\n\n### Resources\n\n- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582\n- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"id": "GHSA-qwc3-h9mg-4582",
"modified": "2026-02-25T18:37:53Z",
"published": "2026-02-25T18:37:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27595"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-dashboard"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Dashboard has incomplete authentication on AI Agent endpoint"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…