CVE
CVE-2026-27609
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint
Impact
The AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session.
Patches
The fix adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.
Workarounds
Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.
Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc, https://nvd.nist.gov/vuln/detail/CVE-2026-27609, https://github.com/parse-community/parse-dashboard, https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Basic Information
Ecosystem
