GHSA-qwc3-h9mg-4582
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qwc3-h9mg-4582
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-qwc3-h9mg-4582/GHSA-qwc3-h9mg-4582.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qwc3-h9mg-4582
- Aliases
- Published
- 2026-02-25T18:37:53Z
- Modified
- 2026-02-25T19:06:16.685920Z
- Severity
-
- 9.9 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
- Summary
- Parse Dashboard has incomplete authentication on AI Agent endpoint
- Details
-
Impact
The AI Agent API endpoint (POST
/apps/:appId/agent) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.Patches
The fix adds authentication middleware to the agent endpoint.
Workarounds
Remove the
agentconfiguration block from your dashboard configuration. Dashboards without anagentconfig are not affected.Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-306" ], "nvd_published_at": "2026-02-25T03:16:04Z", "github_reviewed_at": "2026-02-25T18:37:53Z", "severity": "CRITICAL" }- References
-
- https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582
- https://nvd.nist.gov/vuln/detail/CVE-2026-27595
- https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50
- https://github.com/parse-community/parse-dashboard
- https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Affected packages
npm / parse-dashboard
Package
- Name
- parse-dashboard
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-dashboard