CVE-2026-27595
Received Received - Intake
Unauthenticated Remote Access in Parse Dashboard AI Agent API

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27595
EUVD
EUVD-2026-8595
Affected Vendors & Products
Showing 135 associated CPEs
Vendor Product Version / Range
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.1
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.4.0
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27595 is a critical security vulnerability in the Parse Dashboard software, specifically affecting versions 7.3.0-alpha.42 through 9.0.0-alpha.7. The issue lies in the AI Agent API endpoint (POST /apps/:appId/agent), which lacks proper authentication.

Because of this missing authentication, unauthenticated remote attackers can send requests to this endpoint and perform arbitrary read and write operations on any connected Parse Server database using the master key.

This vulnerability is due to missing authentication for a critical function (classified as CWE-306). The agent feature is opt-in, so dashboards without an agent configuration are not affected.

The issue was fixed in version 9.0.0-alpha.8 by adding authentication, CSRF validation, and per-app authorization middleware to the agent endpoint.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to perform arbitrary read and write operations on any connected Parse Server database using the master key.

As a result, attackers can compromise the confidentiality and integrity of your data, potentially accessing sensitive information and modifying or deleting data without authorization.

The vulnerability has a critical CVSS v4 base score of 9.9, indicating a high risk with no privileges or user interaction required for exploitation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects the AI Agent API endpoint (POST /apps/:appId/agent) in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 when the agent feature is enabled.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, you can check if your Parse Dashboard configuration includes an agent configuration block, as dashboards without this block are not affected.'}, {'type': 'paragraph', 'content': 'Additionally, you can monitor network traffic for unauthenticated POST requests to the /apps/:appId/agent endpoint, which should normally require authentication in fixed versions.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation attempts or presence of the vulnerable endpoint might include:'}, {'type': 'list_item', 'content': "Using curl to test the endpoint without authentication: curl -X POST http://your-dashboard-domain/apps/yourAppId/agent -d '{}'"}, {'type': 'list_item', 'content': 'Using network monitoring tools (e.g., tcpdump or Wireshark) to filter POST requests to the /apps/:appId/agent path.'}, {'type': 'list_item', 'content': 'Checking your Parse Dashboard configuration file for the presence of the agent configuration block.'}] [2]

Mitigation Strategies

The immediate mitigation step is to remove or comment out the agent configuration block from your Parse Dashboard configuration. This disables the vulnerable AI Agent API endpoint.

Upgrading Parse Dashboard to version 9.0.0-alpha.8 or later is recommended, as this version includes a fix that adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint.

Ensure that read-only users are restricted to the readOnlyMasterKey with write permissions stripped server-side, as implemented in the fixed version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart