CVE-2026-27609

Received Received - Intake

CSRF Vulnerability in Parse Dashboard AI Agent Endpoint

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-25

Last Modified

2026-02-27

Generated

2026-05-27

AI Q&A

2026-02-25

EPSS Evaluated

2026-05-25

NVD

CVE-2026-27609

EUVD

EUVD-2026-8592

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0
parseplatform	parse_dashboard	7.3.0-alpha.42
parseplatform	parse_dashboard	7.4.0
parseplatform	parse_dashboard	7.4.0
parseplatform	parse_dashboard	7.4.0
parseplatform	parse_dashboard	7.4.0
parseplatform	parse_dashboard	7.4.0
parseplatform	parse_dashboard	7.5.0
parseplatform	parse_dashboard	7.5.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	7.6.0
parseplatform	parse_dashboard	8.0.0
parseplatform	parse_dashboard	8.0.0
parseplatform	parse_dashboard	8.0.0
parseplatform	parse_dashboard	8.0.0
parseplatform	parse_dashboard	8.0.0
parseplatform	parse_dashboard	8.0.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.0
parseplatform	parse_dashboard	8.1.1
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.2.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.3.0
parseplatform	parse_dashboard	8.4.0
parseplatform	parse_dashboard	8.4.1
parseplatform	parse_dashboard	8.4.1
parseplatform	parse_dashboard	8.5.0
parseplatform	parse_dashboard	8.5.0
parseplatform	parse_dashboard	8.5.0
parseplatform	parse_dashboard	8.5.0
parseplatform	parse_dashboard	8.5.0
parseplatform	parse_dashboard	8.5.0
parseplatform	parse_dashboard	8.5.0
parseplatform	parse_dashboard	9.0.0
parseplatform	parse_dashboard	9.0.0
parseplatform	parse_dashboard	9.0.0
parseplatform	parse_dashboard	9.0.0
parseplatform	parse_dashboard	9.0.0
parseplatform	parse_dashboard	9.0.0
parseplatform	parse_dashboard	9.0.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-352	The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-27609 is a high-severity vulnerability in the parse-dashboard npm package affecting versions 7.3.0-alpha.42 through 9.0.0-alpha.7. The issue is that the AI Agent API endpoint (POST /apps/:appId/agent) lacks Cross-Site Request Forgery (CSRF) protection.'}, {'type': 'paragraph', 'content': "This means an attacker can create a malicious webpage that, when visited by an authenticated dashboard user, can submit unauthorized requests to the agent endpoint using the victim's session without their consent."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 9.0.0-alpha.8 by adding CSRF middleware to the agent endpoint and embedding a CSRF token in the dashboard page to prevent such unauthorized requests.'}, {'type': 'paragraph', 'content': "As a workaround, users can remove the 'agent' configuration block from their dashboard configuration, which disables the vulnerable endpoint."}] [1]

How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to perform unauthorized actions on the Parse Dashboard by submitting requests to the AI Agent API endpoint using the victim's authenticated session."}, {'type': 'paragraph', 'content': 'The impact is primarily on integrity, meaning the attacker can modify data or perform actions that the victim did not intend.'}, {'type': 'paragraph', 'content': 'There is no impact on confidentiality or availability, but the unauthorized modifications can have serious consequences depending on the application.'}] [1]

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects the AI Agent API endpoint (POST /apps/:appId/agent) in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7, which lacks CSRF protection.

To detect if your system is vulnerable, you can check the version of your parse-dashboard installation to see if it falls within the affected range.

Additionally, you can monitor network traffic or logs for POST requests to the /apps/:appId/agent endpoint originating from user sessions, which might indicate exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly.

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The vulnerability was fixed in parse-dashboard version 9.0.0-alpha.8 by adding CSRF middleware to the agent endpoint and embedding a CSRF token in the dashboard page.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading your parse-dashboard installation to version 9.0.0-alpha.8 or later.'}, {'type': 'paragraph', 'content': "As a workaround, if upgrading is not immediately possible, remove the 'agent' configuration block from your dashboard configuration. Dashboards without this configuration are not affected by the vulnerability."}] [1]

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-27609

CSRF Vulnerability in Parse Dashboard AI Agent Endpoint

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart