Parse Dashboard
CVE-2026-27609
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Classic CSRF: network vector, low complexity, no attacker privileges but UI:R for victim visit; session abuse drives backend changes so S:C with I:H, no confidentiality or availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.
AnalysisAI
Cross-site request forgery in Parse Dashboard (versions 7.3.0-alpha.42 through 9.0.0-alpha.7) lets a remote attacker abuse the unprotected AI Agent endpoint (POST /apps/:appId/agent), which lacks CSRF protection and a session-bound token. By luring an authenticated dashboard operator to a malicious web page, the attacker forces agent requests to execute under the victim's session, driving state-changing operations against managed Parse Server apps. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue is fixed in 9.0.0-alpha.8.
Technical ContextAI
Parse Dashboard is the Node.js (npm: parse-dashboard) web management console for Parse Server, an open-source mobile/web backend (MBaaS) platform. The root cause is CWE-352 (Cross-Site Request Forgery): the AI Agent API route did not validate an anti-CSRF token, so the browser's automatic inclusion of the dashboard session cookie was sufficient to authorize a forged cross-origin request. The CPE data (cpe:2.3:a:parseplatform:parse_dashboard) confirms the affected target is the parse_dashboard application running on the node.js platform, and the GitHub advisory (GHSA-3534-xp88-25rc, with the fix tracked under GHSA-qwc3-h9mg-4582 / issue #3224 / commit f92a9ef) shows the remediation introduced CSRF middleware plus a CSRF token embedded in the rendered dashboard page.
RemediationAI
Vendor-released patch: 9.0.0-alpha.8 - upgrade the parse-dashboard package to 9.0.0-alpha.8 or later, which adds CSRF middleware to the agent endpoint and embeds a per-page CSRF token (release: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8). If you cannot upgrade immediately, the vendor-endorsed workaround is to remove the 'agent' configuration block from your dashboard configuration, which fully eliminates exposure because dashboards without an agent config are not affected; the trade-off is loss of the AI Agent feature until you patch. As additional hardening pending upgrade, restrict network access to the dashboard (e.g., place it behind a VPN/allowlist) and ensure operators do not browse untrusted sites within authenticated dashboard sessions. Refer to GHSA-3534-xp88-25rc for authoritative guidance.
More in Parse Dashboard
View allUnauthenticated arbitrary database read/write in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets remo
Broken authorization in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets any authenticated user reach
Privilege escalation via cache key collision in Parse Dashboard (npm parse-dashboard) versions 7.3.0-alpha.42 through 9.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3534-xp88-25rc