CVE-2026-27609
MEDIUM
GHSA-3534-xp88-25rc
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Tags
Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
Analysis
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to implement CSRF protection on the AI Agent API endpoint, allowing attackers to perform unauthorized actions through the endpoint by tricking authenticated dashboard users into visiting malicious web pages. An attacker can exploit this to manipulate Parse Server applications managed through the vulnerable dashboard without explicit user consent. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running versions 7.3.0-alpha.42 and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today