CVE-2026-27609
February 25, 2026
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint ("POST /apps/:appId/agent") lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the "agent" configuration block from your dashboard configuration. Dashboards without an "agent" config are not affected.
Affected Packages
parse-dashboard (NPM):
Affected version(s) >=7.3.0-alpha.42 <9.0.0-alpha.8Fix Suggestion:
Update to version 9.0.0-alpha.8Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
EPSS
Base Score:
0.01
