Parse Dashboard Unauthenticated Database Access Vulnerability via AI Agent API
Vulnerability
A vulnerability in Parse Dashboard versions 7.3.0-alpha.42 prior to 9.0.0-alpha.7 allows unauthenticated remote attackers to perform arbitrary read and write operations on any connected Parse Server database using the master key. This issue arises from the lack of authentication on the AI Agent API endpoint (POST '/apps/:appId/agent'). The vulnerability can be exploited by sending requests to the endpoint, taking advantage of the missing authentication to manipulate database operations. It's important to note that the agent feature is opt-in, so dashboards without an agent configuration are not affected.
Impact
Exploitation of this vulnerability allows for unauthorized access and manipulation of database records on the connected Parse Server, using the master key which typically has full access rights.
Remediation
Users can upgrade to Parse Dashboard version 9.0.0-alpha.8, which addresses this vulnerability by adding authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. For those unable to upgrade, the agent configuration block can be removed or commented out in the dashboard configuration.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.