Vulnerability Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse Dashboard | 7.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8Release Notes
- https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwjVendor Advisory
FAQ
What is CVE-2026-27608?
CVE-2026-27608 is a vulnerability with a CVSS score of 8.1 (HIGH). Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce autho...
How severe is CVE-2026-27608?
CVE-2026-27608 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27608?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse Dashboard.