CVE-2026-27608

🔴 HIGH

Published

Feb 25, 2026

Last Modified

Feb 27, 2026

Views

Bookmarks

Description

Request Expert Review

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

Affected Products (135)

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.3.0

parseplatform - parse_dashboard

Version: 7.4.0

parseplatform - parse_dashboard

Version: 7.4.0

parseplatform - parse_dashboard

Version: 7.4.0

parseplatform - parse_dashboard

Version: 7.4.0

parseplatform - parse_dashboard

Version: 7.4.0

parseplatform - parse_dashboard

Version: 7.5.0

parseplatform - parse_dashboard

Version: 7.5.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 7.6.0

parseplatform - parse_dashboard

Version: 8.0.0

parseplatform - parse_dashboard

Version: 8.0.0

parseplatform - parse_dashboard

Version: 8.0.0

parseplatform - parse_dashboard

Version: 8.0.0

parseplatform - parse_dashboard

Version: 8.0.0

parseplatform - parse_dashboard

Version: 8.0.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.0

parseplatform - parse_dashboard

Version: 8.1.1

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.2.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.3.0

parseplatform - parse_dashboard

Version: 8.4.0

parseplatform - parse_dashboard

Version: 8.4.1

parseplatform - parse_dashboard

Version: 8.4.1

parseplatform - parse_dashboard

Version: 8.5.0

parseplatform - parse_dashboard

Version: 8.5.0

parseplatform - parse_dashboard

Version: 8.5.0

parseplatform - parse_dashboard

Version: 8.5.0

parseplatform - parse_dashboard

Version: 8.5.0

parseplatform - parse_dashboard

Version: 8.5.0

parseplatform - parse_dashboard

Version: 8.5.0

parseplatform - parse_dashboard

Version: 9.0.0

parseplatform - parse_dashboard

Version: 9.0.0

parseplatform - parse_dashboard

Version: 9.0.0

parseplatform - parse_dashboard

Version: 9.0.0

parseplatform - parse_dashboard

Version: 9.0.0

parseplatform - parse_dashboard

Version: 9.0.0

parseplatform - parse_dashboard

Version: 9.0.0

CVSS Scores

CVSS 3.1 8.1

8.1

HIGH

CVSS 2.0 8.1

References

github.com github.com

Additional Information

Source: security-advisories@github.com
State: Analyzed

Related CVEs

CVE-2026-3979

MEDIUM

A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation...

Score: 5.3

CVE-2026-3978

HIGH

A vulnerability was detected in D-Link DIR-513 1.10. The impacted element is an unknown function of the file /goform/formEasySetupWizard3. The manipul...

Score: 8.8

CVE-2026-3977

MEDIUM

A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. Th...

Score: 6.3

CVE-2026-3976

HIGH

A weakness has been identified in Tenda W3 1.0.0.3(2204). Impacted is the function formWifiMacFilterSet of the file /goform/WifiMacFilterSet of the co...

Score: 8.8

CVE-2026-3975

HIGH

A security flaw has been discovered in Tenda W3 1.0.0.3(2204). This issue affects the function formWifiMacFilterGet of the file /goform/WifiMacFilterG...

Score: 8.8

CVE-2026-3974

HIGH

A vulnerability was identified in Tenda W3 1.0.0.3(2204). This vulnerability affects the function formexeCommand of the file /goform/exeCommand of the...

Score: 8.8

Share CVE-2026-27608

Share on Social Media

Copy Link

Embed Code

HTML Embed (for websites/blogs)

Markdown (for GitHub/Discord)

Request Expert Analysis

Request a professional security analysis for CVE-2026-27608 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Priority Level

SLA Acceleration (50% faster delivery)

Add 3 credits for accelerated delivery

Additional Context (Optional)

Base Cost: 8 credits

Priority Upgrade: + credits

SLA Acceleration: +3 credits

Total Cost:

Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits