Security Vulnerabilities in Parse Dashboard Affecting Multiple Versions
CVE-2026-27595

9.9CRITICAL

Key Information:

Vendor: Parse-community
Status: Parse-dashboard
Vendor: CVE Published:; 25 February 2026

🔔 Create Parse-community Vulnerability Alert

What is CVE-2026-27595?

The Parse Dashboard supports managing Parse Server applications but had vulnerabilities in the AI Agent API endpoint across multiple pre-release versions. These vulnerabilities enable potential attackers to execute unauthorized read and write operations on connected Parse Server databases, utilizing the master key. The issue stems from a lack of authentication and inappropriate handling of permissions. The resolution in version 9.0.0-alpha.8 introduces critical security measures, including adding mandatory authentication, Cross-Site Request Forgery (CSRF) validation, and application-specific authorization middleware to the agent endpoint. Notably, users with read-only access are now restricted to a dedicated read-only master key, which prevents unauthorized write operations. It is recommended to disable or remove the agent configuration from dashboards if versions below 9.0.0-alpha.8 are in use.

Affected Version(s)

parse-dashboard >= 7.3.0-alpha.42, < 9.0.0-alpha.8

References

https://github.com/parse-community/parse-dashboard/securi...

x_refsource_CONFIRM

https://github.com/parse-community/parse-dashboard/releas...

x_refsource_MISC

CVSS V4

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27595 Data

JSON