プラットフォーム
nodejs
コンポーネント
parse-dashboard
修正版
7.3.1
9.0.0-alpha.8
CVE-2026-27595 is a critical authentication bypass vulnerability discovered in Parse Dashboard. This flaw allows unauthenticated remote attackers to execute arbitrary database operations against any connected Parse Server using the master key, potentially leading to data breaches and complete server compromise. The vulnerability affects versions prior to 9.0.0-alpha.8, and a fix has been released.
The impact of CVE-2026-27595 is severe due to the unrestricted access it grants to the Parse Server database. An attacker exploiting this vulnerability can read, modify, or delete any data stored within the Parse Server, including user credentials, application data, and sensitive configuration information. This could lead to complete data exfiltration, account takeover, and disruption of service. The lack of authentication means that no prior access or credentials are required to exploit this vulnerability, significantly broadening the attack surface. The ability to manipulate the database using the master key provides a high degree of control over the Parse Server, enabling attackers to perform actions that would normally require administrative privileges.
This vulnerability was publicly disclosed on February 25, 2026. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the potential impact make it a high-priority concern. No public proof-of-concept (PoC) code has been released, but the vulnerability's simplicity suggests that a PoC could be developed quickly. It is not listed on the CISA KEV catalog at the time of this writing.
Organizations and developers using Parse Dashboard to manage their Parse Server instances are at risk, particularly those running versions prior to 9.0.0-alpha.8. Shared hosting environments where multiple Parse Servers share the same infrastructure are especially vulnerable, as a compromise of one instance could potentially lead to the compromise of others.
• nodejs / server:
grep -r 'apps/:appId/agent' /opt/parse-dashboard/config.json• nodejs / server:
ps aux | grep 'parse-dashboard' | grep '/apps/:appId/agent'• generic web:
Check Parse Dashboard configuration files for the presence of the agent configuration block. Review access logs for unusual activity targeting the /apps/:appId/agent endpoint.
disclosure
エクスプロイト状況
EPSS
0.05% (15% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-27595 is to upgrade Parse Dashboard to version 9.0.0-alpha.8 or later, which includes authentication middleware to protect the agent endpoint. If upgrading is not immediately feasible, a temporary workaround is to remove the agent configuration block from your dashboard configuration. Dashboards without an agent configuration are not affected by this vulnerability. Ensure that your Parse Server's master key is stored securely and not exposed in publicly accessible locations. Regularly review your Parse Dashboard configuration for any unauthorized changes.
Parse Dashboard をバージョン 9.0.0-alpha.8 以降にアップデートしてください。代替案として、Parse Dashboard の設定からエージェント設定ブロックを削除またはコメントアウトしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-27595 is a critical authentication bypass vulnerability in Parse Dashboard allowing unauthenticated access to the Parse Server database. It affects versions before 9.0.0-alpha.8.
You are affected if you are using Parse Dashboard versions prior to 9.0.0-alpha.8 and have the 'agent' configuration block enabled.
Upgrade to Parse Dashboard version 9.0.0-alpha.8 or later. Alternatively, remove the 'agent' configuration block from your dashboard configuration.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
You can find the advisory on the Parse Community GitHub security page: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-qwc3-h9mg-45