CVE-2026-27609
- Source
- https://cve.org/CVERecord?id=CVE-2026-27609
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27609.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27609
- Aliases
- Published
- 2026-02-25T02:18:28.909Z
- Modified
- 2026-03-03T02:56:35.912697Z
- Severity
-
- 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N CVSS Calculator
- Summary
- Parse Dashboard Missing CSRF Protection on Agent Endpoint
- Details
-
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (
POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove theagentconfiguration block from your dashboard configuration. Dashboards without anagentconfig are not affected. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27609.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-352" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27609.json
- https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
- https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc
- https://nvd.nist.gov/vuln/detail/CVE-2026-27609
Affected packages
Git / github.com/parse-community/parse-dashboard
Affected versions
7.*
7.3.0
7.3.0-alpha.42
7.3.0-alpha.43
7.3.0-alpha.44
7.4.0
7.4.0-alpha.1
7.4.0-alpha.2
7.4.0-alpha.3
7.4.0-alpha.4
7.4.0-alpha.5
7.5.0
7.5.0-alpha.1
7.5.0-alpha.2
7.6.0-alpha.1
7.6.0-alpha.10
7.6.0-alpha.11
7.6.0-alpha.12
7.6.0-alpha.13
7.6.0-alpha.2
7.6.0-alpha.3
7.6.0-alpha.4
7.6.0-alpha.5
7.6.0-alpha.6
7.6.0-alpha.7
7.6.0-alpha.8
7.6.0-alpha.9
8.*
8.0.0
8.0.0-alpha.1
8.0.0-alpha.2
8.0.0-alpha.3
8.0.0-alpha.4
8.0.0-alpha.5
8.0.0-alpha.6
8.1.0
8.1.0-alpha.1
8.1.0-alpha.10
8.1.0-alpha.11
8.1.0-alpha.12
8.1.0-alpha.13
8.1.0-alpha.2
8.1.0-alpha.3
8.1.0-alpha.4
8.1.0-alpha.5
8.1.0-alpha.6
8.1.0-alpha.7
8.1.0-alpha.8
8.1.0-alpha.9
8.1.1-alpha.1
8.2.0
8.2.0-alpha.1
8.2.0-alpha.10
8.2.0-alpha.11
8.2.0-alpha.12
8.2.0-alpha.13
8.2.0-alpha.14
8.2.0-alpha.15
8.2.0-alpha.16
8.2.0-alpha.17
8.2.0-alpha.18
8.2.0-alpha.19
8.2.0-alpha.2
8.2.0-alpha.20
8.2.0-alpha.21
8.2.0-alpha.22
8.2.0-alpha.23
8.2.0-alpha.24
8.2.0-alpha.25
8.2.0-alpha.26
8.2.0-alpha.27
8.2.0-alpha.3
8.2.0-alpha.4
8.2.0-alpha.5
8.2.0-alpha.6
8.2.0-alpha.7
8.2.0-alpha.8
8.2.0-alpha.9
8.3.0
8.3.0-alpha.1
8.3.0-alpha.10
8.3.0-alpha.11
8.3.0-alpha.12
8.3.0-alpha.13
8.3.0-alpha.14
8.3.0-alpha.15
8.3.0-alpha.16
8.3.0-alpha.17
8.3.0-alpha.18
8.3.0-alpha.19
8.3.0-alpha.2
8.3.0-alpha.20
8.3.0-alpha.21
8.3.0-alpha.22
8.3.0-alpha.23
8.3.0-alpha.24
8.3.0-alpha.25
8.3.0-alpha.26
8.3.0-alpha.27
8.3.0-alpha.28
8.3.0-alpha.29
8.3.0-alpha.3
8.3.0-alpha.30
8.3.0-alpha.31
8.3.0-alpha.32
8.3.0-alpha.33
8.3.0-alpha.34
8.3.0-alpha.35
8.3.0-alpha.36
8.3.0-alpha.37
8.3.0-alpha.38
8.3.0-alpha.39
8.3.0-alpha.4
8.3.0-alpha.40
8.3.0-alpha.41
8.3.0-alpha.42
8.3.0-alpha.43
8.3.0-alpha.5
8.3.0-alpha.6
8.3.0-alpha.7
8.3.0-alpha.8
8.3.0-alpha.9
8.4.0
8.4.0-alpha.1
8.4.1-alpha.1
8.4.1-alpha.2
8.5.0
8.5.0-alpha.1
8.5.0-alpha.2
8.5.0-alpha.3
8.5.0-alpha.4
8.5.0-alpha.5
8.5.0-alpha.6
8.5.0-alpha.7
9.*
9.0.0-alpha.1
9.0.0-alpha.2
9.0.0-alpha.3
9.0.0-alpha.4
9.0.0-alpha.5
9.0.0-alpha.6
9.0.0-alpha.7