CVE Catalog

CVE-2026-27610

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile - higher than 26% of all known CVEs

Summary

A vulnerability in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 causes the `ConfigKeyCache` to use the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key.

Risk Assessment

The risk involves unauthorized access to the full master key by a read-only user, potentially leading to privilege escalation and uncontrolled data access.

Recommendation

It is recommended to immediately upgrade to version 9.0.0-alpha.8 or later. As a temporary workaround, avoid using function-typed master keys or remove the `agent` configuration block from your dashboard configuration.

Original NVD description (English source)

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS