CVE-2026-27609
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 lack CSRF protection for the AI Agent endpoint (`POST /apps/:appId/agent`). An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to this endpoint using the victim's session.
Risk Assessment
The risk involves an attacker performing unauthorized actions within the context of an administrator's session, potentially compromising data integrity or Parse Server app configuration.
Recommendation
Immediately update to version 9.0.0-alpha.8 or later. As a temporary workaround, remove the `agent` configuration block from your dashboard configuration if not needed.
Original NVD description (English source)
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

