VulnerableCode Package Details - pkg:npm/parse-dashboard@8.0.0-alpha.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-4ab8-4w6g-f3h3 Aliases: CVE-2026-27595 GHSA-qwc3-h9mg-4582	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.	9.0.0-alpha.8 Affected by 0 other vulnerabilities.
VCID-7sk5-3qk5-j7f5 Aliases: CVE-2026-27610 GHSA-jhp4-jvq3-w5xr	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.	9.0.0-alpha.8 Affected by 0 other vulnerabilities.
VCID-cs92-r1tv-2yeh Aliases: CVE-2026-27609 GHSA-3534-xp88-25rc	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.	9.0.0-alpha.8 Affected by 0 other vulnerabilities.
VCID-ge7y-tqew-kydj Aliases: CVE-2026-27608 GHSA-cvwj-6c9h-jg6v	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.	9.0.0-alpha.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4ab8-4w6g-f3h3
Aliases:
CVE-2026-27595
GHSA-qwc3-h9mg-4582

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.

9.0.0-alpha.8
Affected by 0 other vulnerabilities.

VCID-7sk5-3qk5-j7f5
Aliases:
CVE-2026-27610
GHSA-jhp4-jvq3-w5xr

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

9.0.0-alpha.8
Affected by 0 other vulnerabilities.

VCID-cs92-r1tv-2yeh
Aliases:
CVE-2026-27609
GHSA-3534-xp88-25rc

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

9.0.0-alpha.8
Affected by 0 other vulnerabilities.

VCID-ge7y-tqew-kydj
Aliases:
CVE-2026-27608
GHSA-cvwj-6c9h-jg6v

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

9.0.0-alpha.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:09:51.272577+00:00	GitLab Importer	Affected by	VCID-ge7y-tqew-kydj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27608.yml	38.6.0
2026-06-12T21:08:23.813250+00:00	GitLab Importer	Affected by	VCID-4ab8-4w6g-f3h3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27595.yml	38.6.0
2026-06-12T21:07:40.884720+00:00	GitLab Importer	Affected by	VCID-7sk5-3qk5-j7f5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27610.yml	38.6.0
2026-06-12T21:07:39.678129+00:00	GitLab Importer	Affected by	VCID-cs92-r1tv-2yeh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27609.yml	38.6.0