CVE-2026-27595
Published: 25 February 2026
Summary
CVE-2026-27595 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Parseplatform Parse Dashboard. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of missing authentication (CWE-306) in exposed AI Agent API endpoint of public-facing Parse Dashboard, enabling arbitrary DB read/write via master key.
NVD Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write…
more
operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.
Deeper analysisAI
CVE-2026-27595 is a vulnerability in Parse Dashboard, a standalone dashboard for managing Parse Server apps, affecting versions 7.3.0-alpha.42 through 9.0.0-alpha.7. It stems from multiple security issues in the AI Agent API endpoint (POST `/apps/:appId/agent`), which can be chained to allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in, meaning dashboards without an agent configuration are not affected. The issue is classified under CWE-306 (Missing Authentication for Critical Function) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Unauthenticated remote attackers can exploit the chained vulnerabilities by sending requests to the exposed agent endpoint, bypassing authentication and gaining full master key privileges. This enables complete read and write access to databases across any connected Parse Server instances managed by the dashboard, potentially leading to data exfiltration, modification, or deletion without requiring user interaction or privileges.
Mitigation is available in Parse Dashboard version 9.0.0-alpha.8, which adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. It further restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side and corrects a cache key collision between the master key and read-only master key. As a workaround, remove or comment out the agent configuration block from the Parse Dashboard configuration. Details are provided in the GitHub release notes (https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8) and security advisory (https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-4582).
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai