Fluid Attacks Database

Description

Parse Dashboard has incomplete authentication on AI Agent endpoint

Impact

The AI Agent API endpoint (POST /apps/:appId/agent) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key.

Patches

The fix adds authentication middleware to the agent endpoint.

Workarounds

Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.

Resources

GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582

Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	parse-dashboard	>=7.3.0-alpha.42 <9.0.0-alpha.8	9.0.0-alpha.8

Aliases

1. CVE-2026-275952. NVD-2026-275953. OSV-2026-275954. GHSA-qwc3-h9mg-45825. GCVE-2026-27595

References

1. https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-45822. https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb503. https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.