CVE-2026-27608

CRITICAL
中文标题:
(暂无数据)
英文标题:
Parse Dashboard Missing Authorization on Agent Endpoint
CVSS分数: 9.3
发布时间: 2026-02-25 02:16:30
漏洞类型: (暂无数据)
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v3
漏洞描述
中文描述:

(暂无数据)

英文描述:

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

CWE类型:
CWE-862
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
parse-community parse-dashboard >= 7.3.0-alpha.42, < 9.0.0-alpha.8 - - cpe:2.3:a:parse-community:parse-dashboard:>=_7.3.0-alpha.42,_<_9.0.0-alpha.8:*:*:*:*:*:*:*
parseplatform parse_dashboard 7.3.0 - - cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.42:*:*:*:node.js:*:*
parseplatform parse_dashboard 7.4.0 - - cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 7.5.0 - - cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 7.6.0 - - cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.0.0 - - cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.1.0 - - cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.1.1 - - cpe:2.3:a:parseplatform:parse_dashboard:8.1.1:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.2.0 - - cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.3.0 - - cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.4.0 - - cpe:2.3:a:parseplatform:parse_dashboard:8.4.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.4.1 - - cpe:2.3:a:parseplatform:parse_dashboard:8.4.1:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 8.5.0 - - cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.1:*:*:*:node.js:*:*
parseplatform parse_dashboard 9.0.0 - - cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.1:*:*:*:node.js:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-cvwj-6c9h-jg6v x_refsource_CONFIRM
cve.org
访问
https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8 x_refsource_MISC
cve.org
访问
CVSS评分详情
4.0 (cna)
CRITICAL
9.3
CVSS向量: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
机密性
HIGH
完整性
HIGH
可用性
NONE
后续系统影响 (Subsequent):
机密性
HIGH
完整性
HIGH
可用性
NONE
时间信息
发布时间:
2026-02-25 02:16:30
修改时间:
2026-02-25 18:58:39
创建时间:
2026-02-26 06:00:01
更新时间:
2026-02-28 06:00:02
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2026-27608 2026-02-26 03:19:54 2026-02-25 22:00:01
NVD nvd_CVE-2026-27608 2026-02-26 02:00:04 2026-02-25 22:00:04
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN
安全公告
暂无安全公告信息
变更历史
v3 NVD
2026-02-28 06:00:02
affected_products_count: 1 → 14
查看详细变更
  • affected_products_count: 1 -> 14
v2 NVD
2026-02-26 06:00:04
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']