CVE-2026-27610
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk26th percentile - higher than 26% of all known CVEs
Summary
A vulnerability in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 causes the `ConfigKeyCache` to use the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key.
Risk Assessment
The risk involves unauthorized access to the full master key by a read-only user, potentially leading to privilege escalation and uncontrolled data access.
Recommendation
It is recommended to immediately upgrade to version 9.0.0-alpha.8 or later. As a temporary workaround, avoid using function-typed master keys or remove the `agent` configuration block from your dashboard configuration.
Original NVD description (English source)
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

