CVE-2026-27608

EUVD-2026-8591

25.02.2026, 03:16

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse_dashboard	7.3.0:alpha.42
parseplatform	parse_dashboard	7.3.0:alpha.43
parseplatform	parse_dashboard	7.3.0:alpha.44
parseplatform	parse_dashboard	7.3.0:alpha.5
parseplatform	parse_dashboard	7.3.0:alpha.6
parseplatform	parse_dashboard	7.3.0:alpha.7
parseplatform	parse_dashboard	7.3.0:alpha.8
parseplatform	parse_dashboard	7.3.0:alpha.9
parseplatform	parse_dashboard	7.4.0:alpha.1
parseplatform	parse_dashboard	7.4.0:alpha.2
parseplatform	parse_dashboard	7.4.0:alpha.3
parseplatform	parse_dashboard	7.4.0:alpha.4
parseplatform	parse_dashboard	7.4.0:alpha.5
parseplatform	parse_dashboard	7.5.0:alpha.1
parseplatform	parse_dashboard	7.5.0:alpha.2
parseplatform	parse_dashboard	7.6.0:alpha.1
parseplatform	parse_dashboard	7.6.0:alpha.10
parseplatform	parse_dashboard	7.6.0:alpha.11
parseplatform	parse_dashboard	7.6.0:alpha.12
parseplatform	parse_dashboard	7.6.0:alpha.13
parseplatform	parse_dashboard	7.6.0:alpha.2
parseplatform	parse_dashboard	7.6.0:alpha.3
parseplatform	parse_dashboard	7.6.0:alpha.4
parseplatform	parse_dashboard	7.6.0:alpha.5
parseplatform	parse_dashboard	7.6.0:alpha.6
parseplatform	parse_dashboard	7.6.0:alpha.7
parseplatform	parse_dashboard	7.6.0:alpha.8
parseplatform	parse_dashboard	7.6.0:alpha.9
parseplatform	parse_dashboard	8.0.0:alpha.1
parseplatform	parse_dashboard	8.0.0:alpha.2
parseplatform	parse_dashboard	8.0.0:alpha.3
parseplatform	parse_dashboard	8.0.0:alpha.4
parseplatform	parse_dashboard	8.0.0:alpha.5
parseplatform	parse_dashboard	8.0.0:alpha.6
parseplatform	parse_dashboard	8.1.0:alpha.1
parseplatform	parse_dashboard	8.1.0:alpha.10
parseplatform	parse_dashboard	8.1.0:alpha.11
parseplatform	parse_dashboard	8.1.0:alpha.12
parseplatform	parse_dashboard	8.1.0:alpha.13
parseplatform	parse_dashboard	8.1.0:alpha.2
parseplatform	parse_dashboard	8.1.0:alpha.3
parseplatform	parse_dashboard	8.1.0:alpha.4
parseplatform	parse_dashboard	8.1.0:alpha.5
parseplatform	parse_dashboard	8.1.0:alpha.6
parseplatform	parse_dashboard	8.1.0:alpha.7
parseplatform	parse_dashboard	8.1.0:alpha.8
parseplatform	parse_dashboard	8.1.0:alpha.9
parseplatform	parse_dashboard	8.1.1:alpha.1
parseplatform	parse_dashboard	8.2.0:alpha.1
parseplatform	parse_dashboard	8.2.0:alpha.10
parseplatform	parse_dashboard	8.2.0:alpha.11
parseplatform	parse_dashboard	8.2.0:alpha.12
parseplatform	parse_dashboard	8.2.0:alpha.13
parseplatform	parse_dashboard	8.2.0:alpha.14
parseplatform	parse_dashboard	8.2.0:alpha.15
parseplatform	parse_dashboard	8.2.0:alpha.16
parseplatform	parse_dashboard	8.2.0:alpha.17
parseplatform	parse_dashboard	8.2.0:alpha.18
parseplatform	parse_dashboard	8.2.0:alpha.19
parseplatform	parse_dashboard	8.2.0:alpha.2
parseplatform	parse_dashboard	8.2.0:alpha.20
parseplatform	parse_dashboard	8.2.0:alpha.21
parseplatform	parse_dashboard	8.2.0:alpha.22
parseplatform	parse_dashboard	8.2.0:alpha.23
parseplatform	parse_dashboard	8.2.0:alpha.24
parseplatform	parse_dashboard	8.2.0:alpha.25
parseplatform	parse_dashboard	8.2.0:alpha.26
parseplatform	parse_dashboard	8.2.0:alpha.27
parseplatform	parse_dashboard	8.2.0:alpha.3
parseplatform	parse_dashboard	8.2.0:alpha.4
parseplatform	parse_dashboard	8.2.0:alpha.5
parseplatform	parse_dashboard	8.2.0:alpha.6
parseplatform	parse_dashboard	8.2.0:alpha.7
parseplatform	parse_dashboard	8.2.0:alpha.8
parseplatform	parse_dashboard	8.2.0:alpha.9
parseplatform	parse_dashboard	8.3.0:alpha.1
parseplatform	parse_dashboard	8.3.0:alpha.10
parseplatform	parse_dashboard	8.3.0:alpha.11
parseplatform	parse_dashboard	8.3.0:alpha.12
parseplatform	parse_dashboard	8.3.0:alpha.13
parseplatform	parse_dashboard	8.3.0:alpha.14
parseplatform	parse_dashboard	8.3.0:alpha.15
parseplatform	parse_dashboard	8.3.0:alpha.16
parseplatform	parse_dashboard	8.3.0:alpha.17
parseplatform	parse_dashboard	8.3.0:alpha.18
parseplatform	parse_dashboard	8.3.0:alpha.19
parseplatform	parse_dashboard	8.3.0:alpha.2
parseplatform	parse_dashboard	8.3.0:alpha.20
parseplatform	parse_dashboard	8.3.0:alpha.21
parseplatform	parse_dashboard	8.3.0:alpha.22
parseplatform	parse_dashboard	8.3.0:alpha.23
parseplatform	parse_dashboard	8.3.0:alpha.24
parseplatform	parse_dashboard	8.3.0:alpha.25
parseplatform	parse_dashboard	8.3.0:alpha.26
parseplatform	parse_dashboard	8.3.0:alpha.27
parseplatform	parse_dashboard	8.3.0:alpha.28
parseplatform	parse_dashboard	8.3.0:alpha.29
parseplatform	parse_dashboard	8.3.0:alpha.3
parseplatform	parse_dashboard	8.3.0:alpha.30
parseplatform	parse_dashboard	8.3.0:alpha.31
parseplatform	parse_dashboard	8.3.0:alpha.32
parseplatform	parse_dashboard	8.3.0:alpha.33
parseplatform	parse_dashboard	8.3.0:alpha.34
parseplatform	parse_dashboard	8.3.0:alpha.35
parseplatform	parse_dashboard	8.3.0:alpha.36
parseplatform	parse_dashboard	8.3.0:alpha.37
parseplatform	parse_dashboard	8.3.0:alpha.38
parseplatform	parse_dashboard	8.3.0:alpha.39
parseplatform	parse_dashboard	8.3.0:alpha.4
parseplatform	parse_dashboard	8.3.0:alpha.40
parseplatform	parse_dashboard	8.3.0:alpha.41
parseplatform	parse_dashboard	8.3.0:alpha.42
parseplatform	parse_dashboard	8.3.0:alpha.43
parseplatform	parse_dashboard	8.3.0:alpha.5
parseplatform	parse_dashboard	8.3.0:alpha.6
parseplatform	parse_dashboard	8.3.0:alpha.7
parseplatform	parse_dashboard	8.3.0:alpha.8
parseplatform	parse_dashboard	8.3.0:alpha.9
parseplatform	parse_dashboard	8.4.0:alpha.1
parseplatform	parse_dashboard	8.4.1:alpha.1
parseplatform	parse_dashboard	8.4.1:alpha.2
parseplatform	parse_dashboard	8.5.0:alpha.1
parseplatform	parse_dashboard	8.5.0:alpha.2
parseplatform	parse_dashboard	8.5.0:alpha.3
parseplatform	parse_dashboard	8.5.0:alpha.4
parseplatform	parse_dashboard	8.5.0:alpha.5
parseplatform	parse_dashboard	8.5.0:alpha.6
parseplatform	parse_dashboard	8.5.0:alpha.7
parseplatform	parse_dashboard	9.0.0:alpha.1
parseplatform	parse_dashboard	9.0.0:alpha.2
parseplatform	parse_dashboard	9.0.0:alpha.3
parseplatform	parse_dashboard	9.0.0:alpha.4
parseplatform	parse_dashboard	9.0.0:alpha.5
parseplatform	parse_dashboard	9.0.0:alpha.6
parseplatform	parse_dashboard	9.0.0:alpha.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v