PT-2026-21837 · Parse · Parse-Dashboard
Mtrezza
·
Published
2026-02-25
·
Updated
2026-02-25
·
CVE-2026-27609
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7
Description
The Parse Dashboard AI Agent API endpoint (
POST /apps/:appId/agent) does not have Cross-Site Request Forgery (CSRF) protection. An attacker can create a malicious webpage that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim’s session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.Recommendations
Versions 7.3.0-alpha.42 through 9.0.0-alpha.7: Remove the
agent configuration block from your dashboard configuration.Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse-Dashboard