CVE-2026-27610

moderate-risk
Published 2026-02-25

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

Do I need to act?

-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / HIGH complexity

Affected Products (20)

Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard
Parse Dashboard

Affected Vendors

Parseplatform

References (3)

Patch https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd...
Release Notes https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Vendor Advisory https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4...
49
/ 100
moderate-risk
Severity 17/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 32/34 · Critical