Fluid Attacks Database

Description

Parse Dashboard is Missing Authorization for its Agent Endpoint

Impact

The AI Agent API endpoint (POST /apps/:appId/agent) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations.

Affected are only dashboards with agent configuration enabled.

Patches

The fix adds per-app authorization checks and restricts read-only users to the readOnlyMasterKey with write permissions stripped server-side.

Workarounds

Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.

Resources

GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v

Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	parse-dashboard	>=7.3.0-alpha.42 <9.0.0-alpha.8	9.0.0-alpha.8

Aliases

1. CVE-2026-276082. NVD-2026-276083. OSV-2026-276084. GHSA-cvwj-6c9h-jg6v5. GCVE-2026-27608

References

1. https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v2. https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.