CVE-2026-27610
MEDIUMParse Dashboard 7.3.0-alpha.42-9.0.0-alpha.7 - Privilege Escalation
Title source: llmDescription
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr
Patch x_refsource_misc
https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50
Release Notes x_refsource_misc
https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Scores
CVSS v3
5.3
EPSS
0.0002
EPSS Percentile
5.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1289
Status
published
Products (9)
npm/parse-dashboard
7.3.0-alpha.42 - 9.0.0-alpha.8npm
parseplatform/parse_dashboard
7.3.0 alpha.42 (8 CPE variants)
parseplatform/parse_dashboard
7.4.0 alpha.1 (5 CPE variants)
parseplatform/parse_dashboard
7.5.0 alpha.1 (2 CPE variants)
parseplatform/parse_dashboard
7.6.0 alpha.1 (13 CPE variants)
parseplatform/parse_dashboard
8.0.0 alpha.1 (6 CPE variants)
parseplatform/parse_dashboard
8.1.0 alpha.1 (13 CPE variants)
parseplatform/parse_dashboard
8.1.1 alpha.1
parseplatform/parse_dashboard
8.2.0 alpha.1
Published
Feb 25, 2026
Tracked Since
Feb 25, 2026