Platform
nodejs
Component
parse-dashboard
Fixed in
7.3.1
9.0.0-alpha.8
CVE-2026-27609 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in Parse Dashboard. This flaw allows an attacker to execute unauthorized actions on behalf of an authenticated user through crafted malicious pages. The vulnerability impacts versions before 9.0.0-alpha.8, and a fix has been released. Removing the 'agent' configuration block provides a workaround.
The core impact of CVE-2026-27609 lies in its ability to allow an attacker to leverage a victim's authenticated session within Parse Dashboard. By crafting a malicious webpage, an attacker can trick a logged-in user into unknowingly submitting requests to the AI Agent API endpoint (POST /apps/:appId/agent). This could lead to unauthorized data modification, configuration changes, or other actions depending on the permissions associated with the user's session. The blast radius is limited to users with access to the dashboard and those who interact with the agent functionality. This vulnerability shares similarities with other CSRF exploits, where user interaction is the primary attack vector.
CVE-2026-27609 was publicly disclosed on February 25, 2026, via a GitHub advisory. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit once a target is identified.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27609 is to upgrade Parse Dashboard to version 9.0.0-alpha.8 or later, which includes CSRF protection for the agent endpoint. If upgrading immediately is not feasible, a viable workaround is to remove the agent configuration block from your dashboard configuration. Dashboards without an agent configuration are not affected by this vulnerability. After upgrading, confirm the fix by attempting to access the agent endpoint with a CSRF token missing – the request should be rejected.
Update Parse Dashboard to version 9.0.0-alpha.8 or higher. Alternatively, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` configuration are not affected.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27609 is a Cross-Site Request Forgery vulnerability in Parse Dashboard versions before 9.0.0-alpha.8, allowing attackers to perform actions as authenticated users.
You are affected if you are using Parse Dashboard versions prior to 9.0.0-alpha.8 and have the 'agent' configuration enabled.
Upgrade to Parse Dashboard version 9.0.0-alpha.8 or later. Alternatively, remove the 'agent' configuration block from your dashboard configuration.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
You can find the advisory on the Parse Dashboard GitHub repository: https://github.com/parse-community/parse-dashboard/secur
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.