GHSA-CVWJ-6C9H-JG6V

Vulnerability from github – Published: 2026-02-25 18:59 – Updated: 2026-02-25 18:59
VLAI?
Summary
Parse Dashboard is Missing Authorization for its Agent Endpoint
Details

Impact

The AI Agent API endpoint (POST /apps/:appId/agent) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations.

Affected are only dashboards with agent configuration enabled.

Patches

The fix adds per-app authorization checks and restricts read-only users to the readOnlyMasterKey with write permissions stripped server-side.

Workarounds

Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.

Resources

  • GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v
  • Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.0-alpha.7"
      },
      "package": {
        "ecosystem": "npm",
        "name": "parse-dashboard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.3.0-alpha.42"
            },
            {
              "fixed": "9.0.0-alpha.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:59:44Z",
    "nvd_published_at": "2026-02-25T03:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app\u0027s agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations.\n\nAffected are only dashboards with `agent` configuration enabled.\n\n### Patches\n\nThe fix adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side.\n\n### Workarounds\n\nRemove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.\n\n### Resources\n\n- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v\n- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
  "id": "GHSA-cvwj-6c9h-jg6v",
  "modified": "2026-02-25T18:59:44Z",
  "published": "2026-02-25T18:59:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27608"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-dashboard"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Dashboard is Missing Authorization for its Agent Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.