Description
The AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim’s session.
Recommendation
Update the parse-dashboard package to the latest compatible version. Followings are version details:
- Affected version(s): >= 7.3.0-alpha.42, < 9.0.0-alpha.8
- Patched version(s): 9.0.0-alpha.8
References
Related Issues
- Parse Dashboard is Missing Authorization for its Agent Endpoint - CVE-2026-27608
- Parse Dashboard has incomplete authentication on AI Agent endpoint - CVE-2026-27595
- Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions - CVE-2026-27610
- Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint - CVE-2026-32269
- Tags:
- npm
- parse-dashboard
Anything's wrong? Let us know Last updated on February 25, 2026