GHSA-3534-XP88-25RC
Vulnerability from github – Published: 2026-02-25 18:59 – Updated: 2026-02-25 18:59
VLAI?
Summary
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint
Details
Impact
The AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session.
Patches
The fix adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.
Workarounds
Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.
Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-dashboard"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.0-alpha.42"
},
{
"fixed": "9.0.0-alpha.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27609"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T18:59:58Z",
"nvd_published_at": "2026-02-25T03:16:05Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim\u0027s session.\n\n### Patches\n\nThe fix adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.\n\n### Workarounds\n\nRemove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.\n\n### Resources\n\n- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc\n- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8",
"id": "GHSA-3534-xp88-25rc",
"modified": "2026-02-25T18:59:58Z",
"published": "2026-02-25T18:59:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27609"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-dashboard"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Dashboard is Missing CSRF Protection for its Agent Endpoint"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…