Parse Dashboard Missing Authorization Vulnerability in AI Agent API Endpoint

A vulnerability exists in Parse Dashboard versions 7.3.0-alpha.42 prior to 9.0.0-alpha.7, where the AI Agent API endpoint ('POST /apps/:appId/agent') lacks proper authorization. This issue allows authenticated users, assigned to specific apps, to access the agent endpoint of any other app by simply changing the app ID in the URL. Additionally, read-only users receive the full master key instead of the restricted read-only master key, enabling them to add write permissions in the request body and perform write or delete operations. This vulnerability affects only dashboards with the 'agent' configuration enabled.

Impact

Exploitation of this vulnerability allows unauthorized access to the AI Agent API endpoint, where read-only users can gain full master key privileges and perform write and delete operations, according to the advisory.

Remediation

Users can upgrade to Parse Dashboard version 9.0.0-alpha.8, which addresses this vulnerability by implementing per-app authorization checks and limiting read-only users to the 'readOnlyMasterKey' with server-side restrictions on write permissions. As an alternative, the 'agent' configuration block can be removed from the dashboard configuration, leaving only the 'agent' config not affected.