Fluid Attacks Database

Description

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact

The AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session.

Patches

The fix adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.

Workarounds

Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.

Resources

GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc

Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	parse-dashboard	>=7.3.0-alpha.42 <9.0.0-alpha.8	9.0.0-alpha.8

Aliases

1. CVE-2026-276092. NVD-2026-276093. OSV-2026-276094. GHSA-3534-xp88-25rc5. GCVE-2026-27609

References

1. https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc2. https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.