Parse Dashboard: Unauthenticated Access to AI Agent Endpoint

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.9

Parse Dashboard: Unauthenticated Access to AI Agent Endpoint

CVE-2026-27595 GHSA-qwc3-h9mg-4582

Summary

An attacker can access any connected Parse Server's database without a password. The fix is available in version 9.0.0-alpha.8 of the Parse Dashboard. To protect yourself, update to the latest version or remove the 'agent' configuration from your dashboard settings.

What to do

Update parseadmin parse-dashboard to version 9.0.0-alpha.8.

Affected software

Vendor	Product	Affected versions	Fix available
parseadmin	parse-dashboard	> 7.3.0-alpha.42 , <= 9.0.0-alpha.8	9.0.0-alpha.8
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.3.0	–
parseplatform	parse_dashboard	7.4.0	–
parseplatform	parse_dashboard	7.4.0	–
parseplatform	parse_dashboard	7.4.0	–
parseplatform	parse_dashboard	7.4.0	–
parseplatform	parse_dashboard	7.4.0	–
parseplatform	parse_dashboard	7.5.0	–
parseplatform	parse_dashboard	7.5.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	7.6.0	–
parseplatform	parse_dashboard	8.0.0	–
parseplatform	parse_dashboard	8.0.0	–
parseplatform	parse_dashboard	8.0.0	–
parseplatform	parse_dashboard	8.0.0	–
parseplatform	parse_dashboard	8.0.0	–
parseplatform	parse_dashboard	8.0.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.0	–
parseplatform	parse_dashboard	8.1.1	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.2.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.3.0	–
parseplatform	parse_dashboard	8.4.0	–
parseplatform	parse_dashboard	8.4.1	–
parseplatform	parse_dashboard	8.4.1	–
parseplatform	parse_dashboard	8.5.0	–
parseplatform	parse_dashboard	8.5.0	–
parseplatform	parse_dashboard	8.5.0	–
parseplatform	parse_dashboard	8.5.0	–
parseplatform	parse_dashboard	8.5.0	–
parseplatform	parse_dashboard	8.5.0	–
parseplatform	parse_dashboard	8.5.0	–
parseplatform	parse_dashboard	9.0.0	–
parseplatform	parse_dashboard	9.0.0	–
parseplatform	parse_dashboard	9.0.0	–
parseplatform	parse_dashboard	9.0.0	–
parseplatform	parse_dashboard	9.0.0	–
parseplatform	parse_dashboard	9.0.0	–
parseplatform	parse_dashboard	9.0.0	–

Original title

Parse Dashboard has incomplete authentication on AI Agent endpoint

Original description

### Impact

The AI Agent API endpoint (POST `/apps/:appId/agent`) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.

### Patches

The fix adds authentication middleware to the agent endpoint.

### Workarounds

Remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

### Resources

- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

nvd CVSS3.1 7.5

nvd CVSS4.0 9.9

Vulnerability type

CWE-306 Missing Authentication for Critical Function

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026