CVE-2026-27595

7.5 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability in Parse Dashboard's AI Agent API endpoint allows unauthenticated remote attackers to perform arbitrary read and write operations on any connected Parse Server database using the master key. Only dashboards with the agent feature enabled are affected. The vulnerability affects versions 7.3.0-alpha.42 through 9.0.0-alpha.7.

💻 Affected Systems

Products:

Parse Dashboard

Versions: 7.3.0-alpha.42 through 9.0.0-alpha.7

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects dashboards with AI Agent feature enabled (opt-in feature)

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential lateral movement to other systems

🟠

Likely Case

Unauthorized data access and modification in Parse Server databases

🟢

If Mitigated

No impact if agent feature is disabled or proper authentication controls are in place

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible

🏢 Internal Only: HIGH - Internal attackers can exploit without credentials

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires chaining multiple vulnerabilities but is unauthenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.0-alpha.8 and later

Vendor Advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582

Restart Required: Yes

Instructions:

1. Update Parse Dashboard to version 9.0.0-alpha.8 or later
2. Restart the Parse Dashboard service
3. Verify the agent endpoint now requires authentication

🔧 Temporary Workarounds

Disable AI Agent Feature

all

Remove or comment out the agent configuration block from Parse Dashboard configuration

# Edit parse-dashboard-config.json and remove/comment the 'agent' configuration block

🧯 If You Can't Patch

Disable the AI Agent feature immediately by removing agent configuration
Implement network-level controls to restrict access to Parse Dashboard endpoints

🔍 How to Verify

Check if Vulnerable:

Check Parse Dashboard version and verify if agent feature is enabled in configuration

Check Version:

npm list parse-dashboard | grep parse-dashboard

Verify Fix Applied:

Verify version is 9.0.0-alpha.8 or later and test that agent endpoint requires authentication

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST requests to /apps/*/agent endpoint
Database operations from unauthenticated sources

Network Indicators:

Unusual database query patterns from Parse Dashboard
Unauthorized API calls to agent endpoints

SIEM Query:

source="parse-dashboard" AND (path="/apps/*/agent" OR method="POST") AND auth_status="failed"

📊 Metadata

CVE ID: CVE-2026-27595

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-306

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8 Release Notes
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform

Parse Dashboard by Parseplatform