Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Impact An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. Patches The fix hardcodes the expected RS256 algorithm...

GHSA-4Q3H-VP4R-PRV2 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Impact An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. Patches The fix hardcodes the expected RS256 algorithm...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27610 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27610 Source advisory: OSV:GHSA-JHP4-JVQ3-W5XR...

EUVD-2026-8593

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27610 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27610 Source advisory: SNYK:JS-PARSEDASHBOARD-15366639...

Improper Validation of Unsafe Equivalence in Input

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the ConfigKeyCache process. An attacker can obtain unauthorized access to sensitive master key information by exploiting cac...

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

GHSA-JHP4-JVQ3-W5XR Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

Cross-site Request Forgery (CSRF)

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the agent endpoint. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into visiting a malicious...

EUVD-2026-8592

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27609 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27609 Source advisory: OSV:GHSA-3534-XP88-25RC...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27609 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27609 Source advisory: SNYK:JS-PARSEDASHBOARD-15366640...

GHSA-3534-XP88-25RC Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27608 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27608 Source advisory: OSV:GHSA-CVWJ-6C9H-JG6V...

Missing Authorization

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Missing Authorization via the agent endpoint. An attacker can gain unauthorized access to other applications' agent endpoints and escalate privileges by modifying the app ID in t...

EUVD-2026-8591

Parse Dashboard is Missing Authorization for its Agent Endpoint...

parse-hipaa-dashboard (>=1.5.0 <=2.0.5) potentially affected by CVE-2026-27608 via parse-dashboard (>=7.3.0 <=8.5.0)

parse-dashboard NPM version =7.3.0, =1.5.0, =2.0.5 Source cves: CVE-2026-27608 Source advisory: SNYK:JS-PARSEDASHBOARD-15366642...

GHSA-CVWJ-6C9H-JG6V Parse Dashboard is Missing Authorization for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and c...

Missing Authentication for Critical Function

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the agent endpoint. An attacker can perform arbitrary database operations against any connected server instance by sending...