Parse Dashboard is a management interface for Parse Server applications, enabling administrators to monitor and control backend data. Versions 7.3.0-alpha.42 through 9.0.0-alpha.7 contain a critical security flaw in the AI Agent API endpoint (POST `/apps/:appId/agent`). This endpoint lacks proper authentication and authorization controls, allowing unauthenticated remote attackers to chain multiple vulnerabilities and leverage the master key to perform arbitrary read and write operations on any connected Parse Server database. The master key is a highly privileged credential that grants full access to the backend data store. The vulnerability stems from missing authentication (CWE-306) on a critical function, combined with insufficient CSRF protections and a cache key collision between the master key and read-only master key, which could allow privilege escalation or unauthorized write access. The agent feature is opt-in, so only dashboards configured with the agent are vulnerable. The fix introduced in version 9.0.0-alpha.8 implements authentication, CSRF validation, and per-app authorization middleware to restrict access appropriately. Additionally, read-only users are limited to a readOnlyMasterKey with write permissions removed server-side, mitigating risk. The vulnerability has a CVSS 4.0 base score of 9.9, reflecting its critical impact and ease of exploitation without authentication or user interaction. No known exploits are reported in the wild yet, but the severity and nature of the flaw make it a high priority for patching.

This vulnerability allows unauthenticated attackers to gain full read and write access to any Parse Server database connected to a vulnerable parse-dashboard instance with the agent feature enabled. The attacker can exfiltrate sensitive data, modify or delete data, and potentially disrupt application availability or integrity. Since the master key provides unrestricted access, the compromise could lead to complete backend takeover, data breaches, and loss of trust. Organizations using parse-dashboard with the agent feature in affected versions are at risk of severe data compromise. The impact extends to any application relying on Parse Server for backend services, including mobile apps, web applications, and IoT solutions. The lack of authentication and CSRF protections increases the attack surface, enabling remote exploitation without user interaction. This could lead to widespread data leaks, unauthorized data manipulation, and service disruption, affecting business operations and regulatory compliance.

Upgrade parse-dashboard to version 9.0.0-alpha.8 or later, which includes authentication, CSRF validation, and per-app authorization middleware for the agent endpoint. If immediate upgrade is not feasible, remove or comment out the agent configuration block from the parse-dashboard configuration to disable the vulnerable feature. Review and rotate master keys and readOnlyMasterKeys after patching to prevent misuse of compromised credentials. Implement network-level access controls to restrict dashboard access to trusted administrators and internal networks. Monitor logs for unusual API activity targeting the agent endpoint. Employ web application firewalls (WAFs) to detect and block unauthorized requests to the vulnerable endpoint. Conduct security audits of Parse Server deployments to ensure no other misconfigurations exist. Educate development and operations teams about the risks of enabling opt-in features without proper security controls.