Plataforma
nodejs
Componente
parse-dashboard
Corrigido em
7.3.1
9.0.0-alpha.8
CVE-2026-27609 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in Parse Dashboard. This flaw allows an attacker to execute unauthorized actions on behalf of an authenticated user through crafted malicious pages. The vulnerability impacts versions before 9.0.0-alpha.8, and a fix has been released. Removing the 'agent' configuration block provides a workaround.
The core impact of CVE-2026-27609 lies in its ability to allow an attacker to leverage a victim's authenticated session within Parse Dashboard. By crafting a malicious webpage, an attacker can trick a logged-in user into unknowingly submitting requests to the AI Agent API endpoint (POST /apps/:appId/agent). This could lead to unauthorized data modification, configuration changes, or other actions depending on the permissions associated with the user's session. The blast radius is limited to users with access to the dashboard and those who interact with the agent functionality. This vulnerability shares similarities with other CSRF exploits, where user interaction is the primary attack vector.
CVE-2026-27609 was publicly disclosed on February 25, 2026, via a GitHub advisory. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit once a target is identified.
Organizations using Parse Dashboard for backend management, particularly those leveraging the AI Agent API, are at risk. Shared hosting environments where multiple dashboards might share the same server configuration are also potentially vulnerable, as misconfigurations in one dashboard could impact others.
• nodejs / server:
grep -r 'POST /apps/:appId/agent' ./config.json # Check for agent configuration• generic web:
curl -I https://your-parse-dashboard/apps/:appId/agent # Verify endpoint exposure (should return 403 after mitigation) disclosure
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
The primary mitigation for CVE-2026-27609 is to upgrade Parse Dashboard to version 9.0.0-alpha.8 or later, which includes CSRF protection for the agent endpoint. If upgrading immediately is not feasible, a viable workaround is to remove the agent configuration block from your dashboard configuration. Dashboards without an agent configuration are not affected by this vulnerability. After upgrading, confirm the fix by attempting to access the agent endpoint with a CSRF token missing – the request should be rejected.
Atualize Parse Dashboard para a versão 9.0.0-alpha.8 ou superior. Alternativamente, remova o bloco de configuração `agent` da configuração do dashboard. Dashboards sem uma configuração `agent` não são afetados.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27609 is a Cross-Site Request Forgery vulnerability in Parse Dashboard versions before 9.0.0-alpha.8, allowing attackers to perform actions as authenticated users.
You are affected if you are using Parse Dashboard versions prior to 9.0.0-alpha.8 and have the 'agent' configuration enabled.
Upgrade to Parse Dashboard version 9.0.0-alpha.8 or later. Alternatively, remove the 'agent' configuration block from your dashboard configuration.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
You can find the advisory on the Parse Dashboard GitHub repository: https://github.com/parse-community/parse-dashboard/secur
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.