parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27610 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27610 Source advisory: OSV:GHSA-JHP4-JVQ3-W5XR...

GHSA-JHP4-JVQ3-W5XR Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27610 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27610 Source advisory: SNYK:JS-PARSEDASHBOARD-15366639...

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

Improper Validation of Unsafe Equivalence in Input

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the ConfigKeyCache process. An attacker can obtain unauthorized access to sensitive master key information by exploiting cac...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27609 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27609 Source advisory: OSV:GHSA-3534-XP88-25RC...

Cross-site Request Forgery (CSRF)

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the agent endpoint. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into visiting a malicious...

GHSA-3534-XP88-25RC Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27609 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27609 Source advisory: SNYK:JS-PARSEDASHBOARD-15366640...

EUVD-2026-8592

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27608 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27608 Source advisory: SNYK:JS-PARSEDASHBOARD-15366642...

GHSA-CVWJ-6C9H-JG6V Parse Dashboard is Missing Authorization for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and c...

EUVD-2026-8591

Parse Dashboard is Missing Authorization for its Agent Endpoint...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27608 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27608 Source advisory: OSV:GHSA-CVWJ-6C9H-JG6V...

Missing Authorization

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Missing Authorization via the agent endpoint. An attacker can gain unauthorized access to other applications' agent endpoints and escalate privileges by modifying the app ID in t...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27595 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27595 Source advisory: SNYK:JS-PARSEDASHBOARD-15366641...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27595 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27595 Source advisory: OSV:GHSA-QWC3-H9MG-4582...

GHSA-QWC3-H9MG-4582 Parse Dashboard has incomplete authentication on AI Agent endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key. Patches The fix adds authentication middleware to th...

EUVD-2026-8595

Parse Dashboard has incomplete authentication on AI Agent endpoint...