Parse Dashboard
CVE-2026-27610
HIGH
Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated dashboard user (PR:L) wins a timing race (AC:H) over the network with no UI; a leaked full master key grants complete backend read, write, and delete (C/I/A:H).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the agent configuration block from your dashboard configuration.
AnalysisAI
Privilege escalation via cache key collision in Parse Dashboard (npm parse-dashboard) versions 7.3.0-alpha.42 through 9.0.0-alpha.7 allows an authenticated read-only user to obtain the full master key. The flaw lives in ConfigKeyCache, which reuses one cache entry for both the master key and the read-only master key when those keys are function-typed; under a timing race a read-only session can read back the cached full master key (or a regular user the read-only key). Exploitation requires an authenticated dashboard session and a non-default configuration (function-typed keys plus the agent block); no public exploit identified at time of analysis and EPSS is low (0.05%), but the GitHub Security Advisory and patch commit confirm the issue.
Technical ContextAI
Parse Dashboard is the Node.js administrative web UI for Parse Server backends. It supports function-typed master keys (callables that resolve a key at request time, enabling dynamic rotation) and caches their resolved values in a TTL-based ConfigKeyCache keyed by appId. The root cause is that the cache lookup used a single logical key namespace ('masterKey') for both the privileged master key and the lower-privilege read-only master key, so a value resolved for one role could be served to a request executing under the other role. This maps to CWE-1289 (improper validation of unsafe equivalence in input) - the cache treated two security-distinct keys as equivalent. The patch (commit f92a9ef) computes a distinct cache key, 'readOnlyMasterKey' versus 'masterKey', based on the request's resolved access level, and the same commit hardens the new /apps/:appId/agent endpoint with auth (401), CSRF protection, per-app cross-access checks, and read-only permission overrides.
RemediationAI
Vendor-released patch: upgrade parse-dashboard to 9.0.0-alpha.8 or later, which assigns distinct ConfigKeyCache keys for the master key and read-only master key (commit https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50). If you cannot upgrade immediately, apply the vendor workarounds: stop using function-typed master keys (use static string master/read-only keys instead, which sidesteps the shared-cache resolution path but loses dynamic key-rotation capability), or remove the agent configuration block from your dashboard configuration (this disables the AI agent API feature that exercises the vulnerable code path). Refer to advisory GHSA-jhp4-jvq3-w5xr and the 9.0.0-alpha.8 release notes for confirmation before changing production configuration.
More in Parse Dashboard
View allUnauthenticated arbitrary database read/write in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets remo
Broken authorization in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets any authenticated user reach
Cross-site request forgery in Parse Dashboard (versions 7.3.0-alpha.42 through 9.0.0-alpha.7) lets a remote attacker abu
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jhp4-jvq3-w5xr