Search criteria
8 vulnerabilities found for parse-dashboard by parse-community
CVE-2026-27610 (GCVE-0-2026-27610)
Vulnerability from nvd – Published: 2026-02-25 02:19 – Updated: 2026-02-25 02:21
VLAI?
Title
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.
Severity ?
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:21:23.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr"
},
{
"name": "https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-jhp4-jvq3-w5xr",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27610",
"datePublished": "2026-02-25T02:19:56.022Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-02-25T02:21:23.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27609 (GCVE-0-2026-27609)
Vulnerability from nvd – Published: 2026-02-25 02:18 – Updated: 2026-02-25 02:18
VLAI?
Title
Parse Dashboard Missing CSRF Protection on Agent Endpoint
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim\u0027s session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:18:28.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-3534-xp88-25rc",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard Missing CSRF Protection on Agent Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27609",
"datePublished": "2026-02-25T02:18:28.909Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-02-25T02:18:28.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27595 (GCVE-0-2026-27595)
Vulnerability from nvd – Published: 2026-02-25 02:21 – Updated: 2026-02-25 02:21
VLAI?
Title
Parse Dashboard has incomplete authentication on AI Agent endpoint
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.
Severity ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:21:33.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-qwc3-h9mg-4582",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard has incomplete authentication on AI Agent endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27595",
"datePublished": "2026-02-25T02:21:33.428Z",
"dateReserved": "2026-02-20T19:43:14.601Z",
"dateUpdated": "2026-02-25T02:21:33.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27608 (GCVE-0-2026-27608)
Vulnerability from nvd – Published: 2026-02-25 02:16 – Updated: 2026-02-25 18:58
VLAI?
Title
Parse Dashboard Missing Authorization on Agent Endpoint
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T18:55:55.191858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T18:58:39.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app\u0027s agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:16:30.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-cvwj-6c9h-jg6v",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard Missing Authorization on Agent Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27608",
"datePublished": "2026-02-25T02:16:30.622Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-02-25T18:58:39.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27595 (GCVE-0-2026-27595)
Vulnerability from cvelistv5 – Published: 2026-02-25 02:21 – Updated: 2026-02-25 02:21
VLAI?
Title
Parse Dashboard has incomplete authentication on AI Agent endpoint
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.
Severity ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:21:33.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-qwc3-h9mg-4582",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard has incomplete authentication on AI Agent endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27595",
"datePublished": "2026-02-25T02:21:33.428Z",
"dateReserved": "2026-02-20T19:43:14.601Z",
"dateUpdated": "2026-02-25T02:21:33.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27610 (GCVE-0-2026-27610)
Vulnerability from cvelistv5 – Published: 2026-02-25 02:19 – Updated: 2026-02-25 02:21
VLAI?
Title
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.
Severity ?
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:21:23.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr"
},
{
"name": "https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-jhp4-jvq3-w5xr",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27610",
"datePublished": "2026-02-25T02:19:56.022Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-02-25T02:21:23.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27609 (GCVE-0-2026-27609)
Vulnerability from cvelistv5 – Published: 2026-02-25 02:18 – Updated: 2026-02-25 02:18
VLAI?
Title
Parse Dashboard Missing CSRF Protection on Agent Endpoint
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim\u0027s session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:18:28.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-3534-xp88-25rc",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard Missing CSRF Protection on Agent Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27609",
"datePublished": "2026-02-25T02:18:28.909Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-02-25T02:18:28.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27608 (GCVE-0-2026-27608)
Vulnerability from cvelistv5 – Published: 2026-02-25 02:16 – Updated: 2026-02-25 18:58
VLAI?
Title
Parse Dashboard Missing Authorization on Agent Endpoint
Summary
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-dashboard |
Affected:
>= 7.3.0-alpha.42, < 9.0.0-alpha.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T18:55:55.191858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T18:58:39.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-dashboard",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.3.0-alpha.42, \u003c 9.0.0-alpha.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app\u0027s agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:16:30.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v"
},
{
"name": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"source": {
"advisory": "GHSA-cvwj-6c9h-jg6v",
"discovery": "UNKNOWN"
},
"title": "Parse Dashboard Missing Authorization on Agent Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27608",
"datePublished": "2026-02-25T02:16:30.622Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-02-25T18:58:39.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}