Parse Dashboard Missing CSRF Protection on Agent Endpoint
Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-dashboardnpm | >= 7.3.0-alpha.42, < 9.0.0-alpha.8 | 9.0.0-alpha.8 |
Affected products
2- Range: >= 7.3.0-alpha.42, < 9.0.0-alpha.8
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-3534-xp88-25rcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27609ghsaADVISORY
- github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8ghsax_refsource_MISCWEB
- github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.