CVE-2026-27610
Received Received - Intake
Cache Key Collision in Parse Dashboard Allows Master Key Exposure

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27610
EUVD
EUVD-2026-8593
Affected Vendors & Products
Showing 135 associated CPEs
Vendor Product Version / Range
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.1
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.4.0
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1289 The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized access to elevated privileges within the Parse Dashboard. Specifically, a read-only user might gain access to the full master key, allowing them to perform actions beyond their intended permissions. Conversely, regular users might receive read-only keys, causing confusion or improper access control.

Such unauthorized access compromises system integrity by allowing privilege escalation, potentially leading to unauthorized data modification or administrative actions.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from the ConfigKeyCache using the same cache key for both master key and read-only master key when resolving function-typed keys, which can lead to leakage of elevated privileges.

Detection involves verifying if your parse-dashboard version is between 7.3.0-alpha.42 and 9.0.0-alpha.7, and checking if function-typed master keys are used or if the agent configuration block is present.

Since the vulnerability relates to cache key collisions and improper authentication on the AI Agent endpoint, you can monitor network traffic for unauthorized access attempts or unexpected master key exposures.

  • Check the parse-dashboard version installed: `npm list parse-dashboard` or `parse-dashboard --version`.
  • Inspect your dashboard configuration file for the presence of the `agent` configuration block.
  • Review logs for suspicious access patterns to the AI Agent endpoint, such as unauthorized POST requests to `/apps/:appId/agent`.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic for unexpected master key data exposure.
  • Run security scans or audits focusing on authentication and authorization checks on the AI Agent endpoint.
Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade your parse-dashboard to version 9.0.0-alpha.8 or later, where the issue is fixed by using distinct cache keys for master and read-only master keys.

If upgrading is not immediately possible, apply the following workarounds:

  • Avoid using function-typed master keys in your configuration.
  • Remove the `agent` configuration block from your dashboard configuration to prevent exposure through the AI Agent endpoint.

Additionally, ensure that authentication and access control are properly enforced on the AI Agent endpoint, including CSRF protection and per-app access checks, as described in the patch.

Executive Summary

CVE-2026-27610 is a high-severity vulnerability in the Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7. The issue arises because the ConfigKeyCache component uses the same cache key for both the master key and the read-only master key when resolving function-typed keys. This cache key collision can cause a read-only user to receive the full master key or a regular user to receive the read-only master key under specific timing conditions.

The root cause is improper validation of unsafe equivalence in input, leading to unsafe resource referencing. The vulnerability was fixed in version 9.0.0-alpha.8 by using distinct cache keys for the master key and the read-only master key.

Workarounds include avoiding the use of function-typed master keys or removing the agent configuration block from the dashboard configuration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27610. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart