Skip to main content

Parse Dashboard CVE-2026-27609

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-02-25 security-advisories@github.com GHSA-3534-xp88-25rc
8.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Classic CSRF: network vector, low complexity, no attacker privileges but UI:R for victim visit; session abuse drives backend changes so S:C with I:H, no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 26, 2026 - 17:18 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 26, 2026 - 17:16 vuln.today
Analysis Updated
Jun 26, 2026 - 17:16 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 17:07 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 17:07 NVD
6.5 (MEDIUM) 8.3 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 25, 2026 - 03:16 nvd
MEDIUM 6.5

DescriptionCVE.org

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.

AnalysisAI

Cross-site request forgery in Parse Dashboard (versions 7.3.0-alpha.42 through 9.0.0-alpha.7) lets a remote attacker abuse the unprotected AI Agent endpoint (POST /apps/:appId/agent), which lacks CSRF protection and a session-bound token. By luring an authenticated dashboard operator to a malicious web page, the attacker forces agent requests to execute under the victim's session, driving state-changing operations against managed Parse Server apps. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue is fixed in 9.0.0-alpha.8.

Technical ContextAI

Parse Dashboard is the Node.js (npm: parse-dashboard) web management console for Parse Server, an open-source mobile/web backend (MBaaS) platform. The root cause is CWE-352 (Cross-Site Request Forgery): the AI Agent API route did not validate an anti-CSRF token, so the browser's automatic inclusion of the dashboard session cookie was sufficient to authorize a forged cross-origin request. The CPE data (cpe:2.3:a:parseplatform:parse_dashboard) confirms the affected target is the parse_dashboard application running on the node.js platform, and the GitHub advisory (GHSA-3534-xp88-25rc, with the fix tracked under GHSA-qwc3-h9mg-4582 / issue #3224 / commit f92a9ef) shows the remediation introduced CSRF middleware plus a CSRF token embedded in the rendered dashboard page.

RemediationAI

Vendor-released patch: 9.0.0-alpha.8 - upgrade the parse-dashboard package to 9.0.0-alpha.8 or later, which adds CSRF middleware to the agent endpoint and embeds a per-page CSRF token (release: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8). If you cannot upgrade immediately, the vendor-endorsed workaround is to remove the 'agent' configuration block from your dashboard configuration, which fully eliminates exposure because dashboards without an agent config are not affected; the trade-off is loss of the AI Agent feature until you patch. As additional hardening pending upgrade, restrict network access to the dashboard (e.g., place it behind a VPN/allowlist) and ensure operators do not browse untrusted sites within authenticated dashboard sessions. Refer to GHSA-3534-xp88-25rc for authoritative guidance.

Share

CVE-2026-27609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy