CVE-2026-27595

Name of the Vulnerable Software and Affected Versions Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7

Description Parse Dashboard, a standalone dashboard for managing Parse Server apps, contains security issues in the AI Agent API endpoint (/apps/:appId/agent). Versions 7.3.0-alpha.42 through 9.0.0-alpha.7 are affected by multiple vulnerabilities that, when combined, could allow attackers without authentication to perform arbitrary read and write operations on any connected Parse Server database using the master key. The agent feature must be enabled for the dashboard to be affected. The issue stems from a lack of authentication, Cross-Site Request Forgery (CSRF) validation, and per-app authorization on the agent endpoint. A cache key collision between the master key and read-only master key also contributed to the problem.

Recommendations Versions 7.3.0-alpha.42 through 9.0.0-alpha.7: Remove or comment out the agent configuration block from your Parse Dashboard configuration.