Skip to main content

Parse Dashboard CVE-2026-27610

HIGH
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2026-02-25 security-advisories@github.com GHSA-jhp4-jvq3-w5xr
7.0
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Authenticated dashboard user (PR:L) wins a timing race (AC:H) over the network with no UI; a leaked full master key grants complete backend read, write, and delete (C/I/A:H).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 26, 2026 - 17:16 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 26, 2026 - 17:15 vuln.today
Analysis Updated
Jun 26, 2026 - 17:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 17:07 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 17:07 NVD
5.3 (MEDIUM) 7.0 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Feb 27, 2026 - 19:14 nvd
Patch available
CVE Published
Feb 25, 2026 - 03:16 nvd
MEDIUM 5.3

DescriptionCVE.org

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the agent configuration block from your dashboard configuration.

AnalysisAI

Privilege escalation via cache key collision in Parse Dashboard (npm parse-dashboard) versions 7.3.0-alpha.42 through 9.0.0-alpha.7 allows an authenticated read-only user to obtain the full master key. The flaw lives in ConfigKeyCache, which reuses one cache entry for both the master key and the read-only master key when those keys are function-typed; under a timing race a read-only session can read back the cached full master key (or a regular user the read-only key). Exploitation requires an authenticated dashboard session and a non-default configuration (function-typed keys plus the agent block); no public exploit identified at time of analysis and EPSS is low (0.05%), but the GitHub Security Advisory and patch commit confirm the issue.

Technical ContextAI

Parse Dashboard is the Node.js administrative web UI for Parse Server backends. It supports function-typed master keys (callables that resolve a key at request time, enabling dynamic rotation) and caches their resolved values in a TTL-based ConfigKeyCache keyed by appId. The root cause is that the cache lookup used a single logical key namespace ('masterKey') for both the privileged master key and the lower-privilege read-only master key, so a value resolved for one role could be served to a request executing under the other role. This maps to CWE-1289 (improper validation of unsafe equivalence in input) - the cache treated two security-distinct keys as equivalent. The patch (commit f92a9ef) computes a distinct cache key, 'readOnlyMasterKey' versus 'masterKey', based on the request's resolved access level, and the same commit hardens the new /apps/:appId/agent endpoint with auth (401), CSRF protection, per-app cross-access checks, and read-only permission overrides.

RemediationAI

Vendor-released patch: upgrade parse-dashboard to 9.0.0-alpha.8 or later, which assigns distinct ConfigKeyCache keys for the master key and read-only master key (commit https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50). If you cannot upgrade immediately, apply the vendor workarounds: stop using function-typed master keys (use static string master/read-only keys instead, which sidesteps the shared-cache resolution path but loses dynamic key-rotation capability), or remove the agent configuration block from your dashboard configuration (this disables the AI agent API feature that exercises the vulnerable code path). Refer to advisory GHSA-jhp4-jvq3-w5xr and the 9.0.0-alpha.8 release notes for confirmation before changing production configuration.

Share

CVE-2026-27610 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy