CVE-2026-27610
- Source
- https://cve.org/CVERecord?id=CVE-2026-27610
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27610.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27610
- Aliases
- Published
- 2026-02-25T02:19:56.022Z
- Modified
- 2026-03-03T02:56:36.717934Z
- Severity
-
- 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N CVSS Calculator
- Summary
- Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
- Details
-
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the
ConfigKeyCacheuses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove theagentconfiguration block from your dashboard configuration. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27610.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-1289" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27610.json
- https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50
- https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
- https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr
- https://nvd.nist.gov/vuln/detail/CVE-2026-27610
Affected packages
Git / github.com/parse-community/parse-dashboard
Affected versions
7.*
7.3.0
7.3.0-alpha.42
7.3.0-alpha.43
7.3.0-alpha.44
7.4.0
7.4.0-alpha.1
7.4.0-alpha.2
7.4.0-alpha.3
7.4.0-alpha.4
7.4.0-alpha.5
7.5.0
7.5.0-alpha.1
7.5.0-alpha.2
7.6.0-alpha.1
7.6.0-alpha.10
7.6.0-alpha.11
7.6.0-alpha.12
7.6.0-alpha.13
7.6.0-alpha.2
7.6.0-alpha.3
7.6.0-alpha.4
7.6.0-alpha.5
7.6.0-alpha.6
7.6.0-alpha.7
7.6.0-alpha.8
7.6.0-alpha.9
8.*
8.0.0
8.0.0-alpha.1
8.0.0-alpha.2
8.0.0-alpha.3
8.0.0-alpha.4
8.0.0-alpha.5
8.0.0-alpha.6
8.1.0
8.1.0-alpha.1
8.1.0-alpha.10
8.1.0-alpha.11
8.1.0-alpha.12
8.1.0-alpha.13
8.1.0-alpha.2
8.1.0-alpha.3
8.1.0-alpha.4
8.1.0-alpha.5
8.1.0-alpha.6
8.1.0-alpha.7
8.1.0-alpha.8
8.1.0-alpha.9
8.1.1-alpha.1
8.2.0
8.2.0-alpha.1
8.2.0-alpha.10
8.2.0-alpha.11
8.2.0-alpha.12
8.2.0-alpha.13
8.2.0-alpha.14
8.2.0-alpha.15
8.2.0-alpha.16
8.2.0-alpha.17
8.2.0-alpha.18
8.2.0-alpha.19
8.2.0-alpha.2
8.2.0-alpha.20
8.2.0-alpha.21
8.2.0-alpha.22
8.2.0-alpha.23
8.2.0-alpha.24
8.2.0-alpha.25
8.2.0-alpha.26
8.2.0-alpha.27
8.2.0-alpha.3
8.2.0-alpha.4
8.2.0-alpha.5
8.2.0-alpha.6
8.2.0-alpha.7
8.2.0-alpha.8
8.2.0-alpha.9
8.3.0
8.3.0-alpha.1
8.3.0-alpha.10
8.3.0-alpha.11
8.3.0-alpha.12
8.3.0-alpha.13
8.3.0-alpha.14
8.3.0-alpha.15
8.3.0-alpha.16
8.3.0-alpha.17
8.3.0-alpha.18
8.3.0-alpha.19
8.3.0-alpha.2
8.3.0-alpha.20
8.3.0-alpha.21
8.3.0-alpha.22
8.3.0-alpha.23
8.3.0-alpha.24
8.3.0-alpha.25
8.3.0-alpha.26
8.3.0-alpha.27
8.3.0-alpha.28
8.3.0-alpha.29
8.3.0-alpha.3
8.3.0-alpha.30
8.3.0-alpha.31
8.3.0-alpha.32
8.3.0-alpha.33
8.3.0-alpha.34
8.3.0-alpha.35
8.3.0-alpha.36
8.3.0-alpha.37
8.3.0-alpha.38
8.3.0-alpha.39
8.3.0-alpha.4
8.3.0-alpha.40
8.3.0-alpha.41
8.3.0-alpha.42
8.3.0-alpha.43
8.3.0-alpha.5
8.3.0-alpha.6
8.3.0-alpha.7
8.3.0-alpha.8
8.3.0-alpha.9
8.4.0
8.4.0-alpha.1
8.4.1-alpha.1
8.4.1-alpha.2
8.5.0
8.5.0-alpha.1
8.5.0-alpha.2
8.5.0-alpha.3
8.5.0-alpha.4
8.5.0-alpha.5
8.5.0-alpha.6
8.5.0-alpha.7
9.*
9.0.0-alpha.1
9.0.0-alpha.2
9.0.0-alpha.3
9.0.0-alpha.4
9.0.0-alpha.5
9.0.0-alpha.6
9.0.0-alpha.7