CVE-2026-27609
Received Received - Intake
CSRF Vulnerability in Parse Dashboard AI Agent Endpoint

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27609
EUVD
EUVD-2026-8592
Affected Vendors & Products
Showing 136 associated CPEs
Vendor Product Version / Range
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0-alpha.42
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.1
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.4.0
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27609 is a high-severity vulnerability in the parse-dashboard npm package affecting versions 7.3.0-alpha.42 through 9.0.0-alpha.7. The issue is that the AI Agent API endpoint (POST /apps/:appId/agent) lacks Cross-Site Request Forgery (CSRF) protection.'}, {'type': 'paragraph', 'content': "This means an attacker can create a malicious webpage that, when visited by an authenticated dashboard user, can submit unauthorized requests to the agent endpoint using the victim's session without their consent."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 9.0.0-alpha.8 by adding CSRF middleware to the agent endpoint and embedding a CSRF token in the dashboard page to prevent such unauthorized requests.'}, {'type': 'paragraph', 'content': "As a workaround, users can remove the 'agent' configuration block from their dashboard configuration, which disables the vulnerable endpoint."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to perform unauthorized actions on the Parse Dashboard by submitting requests to the AI Agent API endpoint using the victim's authenticated session."}, {'type': 'paragraph', 'content': 'The impact is primarily on integrity, meaning the attacker can modify data or perform actions that the victim did not intend.'}, {'type': 'paragraph', 'content': 'There is no impact on confidentiality or availability, but the unauthorized modifications can have serious consequences depending on the application.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the AI Agent API endpoint (POST /apps/:appId/agent) in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7, which lacks CSRF protection.

To detect if your system is vulnerable, you can check the version of your parse-dashboard installation to see if it falls within the affected range.

Additionally, you can monitor network traffic or logs for POST requests to the /apps/:appId/agent endpoint originating from user sessions, which might indicate exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The vulnerability was fixed in parse-dashboard version 9.0.0-alpha.8 by adding CSRF middleware to the agent endpoint and embedding a CSRF token in the dashboard page.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading your parse-dashboard installation to version 9.0.0-alpha.8 or later.'}, {'type': 'paragraph', 'content': "As a workaround, if upgrading is not immediately possible, remove the 'agent' configuration block from your dashboard configuration. Dashboards without this configuration are not affected by the vulnerability."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart