CVE-2026-27610

UNKNOWN 0.0

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

CWE	CWE-1289
Vendor	parse-community
Product	parse-dashboard
Published	Feb 25, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for parse-community parse-dashboard

Be the first to know when new unknown vulnerabilities affecting parse-community parse-dashboard are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

parse-community / parse-dashboard

>= 7.3.0-alpha.42, < 9.0.0-alpha.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr github.com: https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50 github.com: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8