CVE-2026-27608

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27608
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8 Release Notes
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.42:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.43:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.44:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.1:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.20:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.21:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.22:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.23:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.24:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.25:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.26:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.27:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.20:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.21:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.22:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.23:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.24:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.25:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.26:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.27:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.28:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.29:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.30:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.31:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.32:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.33:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.34:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.35:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.36:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.37:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.38:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.39:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.40:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.41:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.42:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.43:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.4.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.4.1:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.4.1:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.7:*:*:*:node.js:*:*
History

No history.

Information

Published : 2026-02-25 03:16

Updated : 2026-02-27 19:17

NVD link : CVE-2026-27608

Mitre link : CVE-2026-27608

CVE.ORG link : CVE-2026-27608

JSON object : View

Products Affected

parseplatform

  • parse_dashboard
CWE
CWE-862

Missing Authorization