CVE-2026-27610

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

CVSS 7 HIGHEPSS 0.3%CWE-1289

In short

Parse Dashboard has a flaw where its cache system uses the same key for both full and read-only master keys, allowing a read-only user to accidentally receive the full master key under certain timing conditions. This compromises security by giving unauthorized access to sensitive administrative credentials.

Technical detail

The ConfigKeyCache in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fails to differentiate cache keys when resolving function-typed master keys, creating a collision vulnerability. Under race conditions, cache lookups can return the wrong credential type (master key instead of read-only key or vice versa), allowing privilege escalation and unauthorized administrative access.

Summary generated and translated by AI from the official description.

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Affected products

parse-community · parse-dashboard

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50 https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8 https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr