VulnerableCode Package Details - pkg:npm/parse-dashboard@9.0.0-alpha.8

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4ab8-4w6g-f3h3	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.	CVE-2026-27595 GHSA-qwc3-h9mg-4582
VCID-7sk5-3qk5-j7f5	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.	CVE-2026-27610 GHSA-jhp4-jvq3-w5xr
VCID-cs92-r1tv-2yeh	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.	CVE-2026-27609 GHSA-3534-xp88-25rc
VCID-ge7y-tqew-kydj	Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.	CVE-2026-27608 GHSA-cvwj-6c9h-jg6v

Vulnerability

Summary

Aliases

VCID-4ab8-4w6g-f3h3

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.

CVE-2026-27595
GHSA-qwc3-h9mg-4582

VCID-7sk5-3qk5-j7f5

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

CVE-2026-27610
GHSA-jhp4-jvq3-w5xr

VCID-cs92-r1tv-2yeh

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

CVE-2026-27609
GHSA-3534-xp88-25rc

VCID-ge7y-tqew-kydj

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

CVE-2026-27608
GHSA-cvwj-6c9h-jg6v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T15:50:53.662257+00:00	GitLab Importer	Fixing	VCID-ge7y-tqew-kydj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27608.yml	38.6.0
2026-06-12T15:50:50.113256+00:00	GitLab Importer	Fixing	VCID-4ab8-4w6g-f3h3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27595.yml	38.6.0
2026-06-12T15:50:48.536407+00:00	GitLab Importer	Fixing	VCID-7sk5-3qk5-j7f5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27610.yml	38.6.0
2026-06-12T15:50:48.476918+00:00	GitLab Importer	Fixing	VCID-cs92-r1tv-2yeh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27609.yml	38.6.0
2026-06-12T07:48:22.741489+00:00	GithubOSV Importer	Fixing	VCID-7sk5-3qk5-j7f5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-jhp4-jvq3-w5xr/GHSA-jhp4-jvq3-w5xr.json	38.6.0
2026-06-12T07:47:57.421176+00:00	GithubOSV Importer	Fixing	VCID-ge7y-tqew-kydj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-cvwj-6c9h-jg6v/GHSA-cvwj-6c9h-jg6v.json	38.6.0
2026-06-12T07:47:51.766355+00:00	GithubOSV Importer	Fixing	VCID-cs92-r1tv-2yeh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3534-xp88-25rc/GHSA-3534-xp88-25rc.json	38.6.0
2026-06-12T07:47:44.529426+00:00	GithubOSV Importer	Fixing	VCID-4ab8-4w6g-f3h3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-qwc3-h9mg-4582/GHSA-qwc3-h9mg-4582.json	38.6.0
2026-06-11T20:38:19.466450+00:00	GHSA Importer	Fixing	VCID-7sk5-3qk5-j7f5	https://github.com/advisories/GHSA-jhp4-jvq3-w5xr	38.6.0
2026-06-11T20:38:19.448169+00:00	GHSA Importer	Fixing	VCID-cs92-r1tv-2yeh	https://github.com/advisories/GHSA-3534-xp88-25rc	38.6.0
2026-06-11T20:38:19.430345+00:00	GHSA Importer	Fixing	VCID-ge7y-tqew-kydj	https://github.com/advisories/GHSA-cvwj-6c9h-jg6v	38.6.0
2026-06-11T20:38:19.204162+00:00	GHSA Importer	Fixing	VCID-4ab8-4w6g-f3h3	https://github.com/advisories/GHSA-qwc3-h9mg-4582	38.6.0