Vulnerability Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse Dashboard | 7.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bdPatch
- https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8Release Notes
- https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4Vendor Advisory
FAQ
What is CVE-2026-27610?
CVE-2026-27610 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-on...
How severe is CVE-2026-27610?
CVE-2026-27610 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27610?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse Dashboard.