Description
The AI Agent API endpoint (POST /apps/:appId/agent) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.
Recommendation
Update the parse-dashboard package to the latest compatible version. Followings are version details:
- Affected version(s): >= 7.3.0-alpha.42, < 9.0.0-alpha.8
- Patched version(s): 9.0.0-alpha.8
References
Related Issues
- Parse Dashboard is Missing Authorization for its Agent Endpoint - CVE-2026-27608
- Parse Dashboard is Missing CSRF Protection for its Agent Endpoint - CVE-2026-27609
- Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions - CVE-2026-27610
- Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
- Tags:
- npm
- parse-dashboard
Anything's wrong? Let us know Last updated on February 25, 2026