CVE-2026-27609
- Source
- https://cve.org/CVERecord?id=CVE-2026-27609
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27609.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27609
- Aliases
- Published
- 2026-02-25T02:18:28.909Z
- Modified
- 2026-04-10T05:38:31.196788Z
- Severity
-
- 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N CVSS Calculator
- Summary
- Parse Dashboard Missing CSRF Protection on Agent Endpoint
- Details
-
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (
POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove theagentconfiguration block from your dashboard configuration. Dashboards without anagentconfig are not affected. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-352" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27609.json" }- References
-
- https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27609.json
- https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc
- https://nvd.nist.gov/vuln/detail/CVE-2026-27609