CVE-2026-27595

Parse Dashboard (versions 7.3.0-alpha.42–9.0.0-alpha.7) contains an unauthenticated agent endpoint (POST /apps/:appId/agent) that, when chained with the underlying Parse Server, allows read/write access to any connected database using the master key. The issue is mitigated in 9.0.0-alpha.8 by int...

CVE-2026-27608

Parse Dashboard vulnerability CVE-2026-27608 affects versions 7.3.0-alpha.42 through 9.0.0-alpha.7 where the AI Agent API (POST /apps/:appId/agent) lacks authorization, allowing authenticated users scoped to one app to access another app’s endpoint by changing the appId. Read-only users can recei...

CVE-2026-27610

In Parse Dashboard, versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have a vulnerability where the ConfigKeyCache uses the same cache key for both the master key and the read-only master key when resolving function-typed keys. Under specific timing conditions, this can allow a read-only user to obt...

CVE-2026-27609

Technical details beyond the initial description are not provided in the connected documents. Monitor for updates on affected versions and remediation for CVE-2026-27609.