CVE-2026-27609

UNKNOWN 0.0

Parse Dashboard Missing CSRF Protection on Agent Endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

CWE	CWE-352
Vendor	parse-community
Product	parse-dashboard
Published	Feb 25, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for parse-community parse-dashboard

Be the first to know when new unknown vulnerabilities affecting parse-community parse-dashboard are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

parse-community / parse-dashboard

>= 7.3.0-alpha.42, < 9.0.0-alpha.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc github.com: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8