CVE Catalog

CVE-2026-27609

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile - higher than 4% of all known CVEs

Summary

Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 lack CSRF protection for the AI Agent endpoint (`POST /apps/:appId/agent`). An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to this endpoint using the victim's session.

Risk Assessment

The risk involves an attacker performing unauthorized actions within the context of an administrator's session, potentially compromising data integrity or Parse Server app configuration.

Recommendation

Immediately update to version 9.0.0-alpha.8 or later. As a temporary workaround, remove the `agent` configuration block from your dashboard configuration if not needed.

Original NVD description (English source)

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS