Description
The AI Agent API endpoint (POST /apps/:appId/agent) does not enforce authorization. Authenticated users scoped to specific apps can access any other app’s agent endpoint by changing the app ID in the URL.
Recommendation
Update the parse-dashboard package to the latest compatible version. Followings are version details:
- Affected version(s): >= 7.3.0-alpha.42, <= 9.0.0-alpha.7
- Patched version(s): 9.0.0-alpha.8
References
Related Issues
- Parse Dashboard is Missing CSRF Protection for its Agent Endpoint - CVE-2026-27609
- Parse Dashboard has incomplete authentication on AI Agent endpoint - CVE-2026-27595
- Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization - CVE-2026-30850
- Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions - CVE-2026-27610
- Tags:
- npm
- parse-dashboard
Anything's wrong? Let us know Last updated on February 25, 2026