CVE-2026-27608

Name of the Vulnerable Software and Affected Versions Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7

Description Parse Dashboard, a standalone dashboard for managing Parse Server apps, contains an issue where the AI Agent API endpoint (POST /apps/:appId) lacks proper authorization checks. Authenticated users with access to specific applications can access the agent endpoint of any other application by modifying the appId in the URL. Read-only users are granted the full master key instead of the read-only master key, enabling them to perform write and delete operations by including write permissions in the request body. Only dashboards with the agent configuration enabled are affected.

Recommendations Update to version 9.0.0-alpha.8 or later. As a workaround, remove the agent configuration block from your dashboard configuration.