Publish Advisories

GHSA-3534-xp88-25rc
GHSA-cvwj-6c9h-jg6v
GHSA-jhp4-jvq3-w5xr

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-3534-xp88-25rc/GHSA-3534-xp88-25rc.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3534-xp88-25rc",
+  "modified": "2026-02-25T18:59:58Z",
+  "published": "2026-02-25T18:59:58Z",
+  "aliases": [
+    "CVE-2026-27609"
+  ],
+  "summary": "Parse Dashboard is Missing CSRF Protection for its Agent Endpoint",
+  "details": "### Impact\n\nThe AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session.\n\n### Patches\n\nThe fix adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.\n\n### Workarounds\n\nRemove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.\n\n### Resources\n\n- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc\n- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-dashboard"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.3.0-alpha.42"
+            },
+            {
+              "fixed": "9.0.0-alpha.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27609"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-dashboard"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-25T18:59:58Z",
+    "nvd_published_at": "2026-02-25T03:16:05Z"
+  }
+}

advisories/github-reviewed/2026/02/GHSA-cvwj-6c9h-jg6v/GHSA-cvwj-6c9h-jg6v.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cvwj-6c9h-jg6v",
+  "modified": "2026-02-25T18:59:44Z",
+  "published": "2026-02-25T18:59:44Z",
+  "aliases": [
+    "CVE-2026-27608"
+  ],
+  "summary": "Parse Dashboard is Missing Authorization for its Agent Endpoint",
+  "details": "### Impact\n\nThe AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations.\n\nAffected are only dashboards with `agent` configuration enabled.\n\n### Patches\n\nThe fix adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side.\n\n### Workarounds\n\nRemove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.\n\n### Resources\n\n- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v\n- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-dashboard"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.3.0-alpha.42"
+            },
+            {
+              "fixed": "9.0.0-alpha.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 9.0.0-alpha.7"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27608"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-dashboard"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-25T18:59:44Z",
+    "nvd_published_at": "2026-02-25T03:16:04Z"
+  }
+}

advisories/github-reviewed/2026/02/GHSA-jhp4-jvq3-w5xr/GHSA-jhp4-jvq3-w5xr.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jhp4-jvq3-w5xr",
+  "modified": "2026-02-25T19:00:07Z",
+  "published": "2026-02-25T19:00:07Z",
+  "aliases": [
+    "CVE-2026-27610"
+  ],
+  "summary": "Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions",
+  "details": "### Impact\n\nThe `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key.\n\n### Patches\n\nThe fix uses distinct cache keys for master key and read-only master key.\n\n### Workarounds\n\nAvoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.\n\n### Resources\n\n- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr\n- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-dashboard"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.3.0-alpha.42"
+            },
+            {
+              "fixed": "9.0.0-alpha.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27610"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-dashboard"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1289"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-25T19:00:07Z",
+    "nvd_published_at": "2026-02-25T03:16:05Z"
+  }
+}