Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-27610

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-25 Feb, 2026 | 02:19
Updated At-27 Feb, 2026 | 17:24
Rejected At-
Credits

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:25 Feb, 2026 | 02:19
Updated At:27 Feb, 2026 | 17:24
Rejected At:
â–¼CVE Numbering Authority (CNA)
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

Affected Products
Vendor
parse-community
Product
parse-dashboard
Versions
Affected
  • >= 7.3.0-alpha.42, < 9.0.0-alpha.8
Problem Types
TypeCWE IDDescription
CWECWE-1289CWE-1289: Improper Validation of Unsafe Equivalence in Input
Type: CWE
CWE ID: CWE-1289
Description: CWE-1289: Improper Validation of Unsafe Equivalence in Input
Metrics
VersionBase scoreBase severityVector
4.07.0HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Version: 4.0
Base score: 7.0
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr
x_refsource_CONFIRM
https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50
x_refsource_MISC
https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
x_refsource_MISC
Hyperlink: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50
Resource:
x_refsource_MISC
Hyperlink: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:25 Feb, 2026 | 03:16
Updated At:27 Feb, 2026 | 19:14

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.0HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 7.0
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.42:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.43:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.44:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.5:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.6:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.7:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.8:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.3.0
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.9:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.4.0
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.4.0
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.2:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.4.0
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.3:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.4.0
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.4:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.4.0
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.5:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.5.0
cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.5.0
cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.2:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.10:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.11:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.12:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.13:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.2:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.3:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.4:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.5:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.6:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.7:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.8:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>7.6.0
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.9:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.0.0
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.0.0
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.2:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.0.0
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.3:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.0.0
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.4:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.0.0
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.5:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.0.0
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.6:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.10:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.11:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.12:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.13:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.2:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.3:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.4:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.5:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.6:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.7:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.8:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.0
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.9:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.1.1
cpe:2.3:a:parseplatform:parse_dashboard:8.1.1:alpha.1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.2.0
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.1:*:*:*:node.js:*:*
parseplatform
parseplatform
>>parse_dashboard>>8.2.0
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.10:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-1289Primarysecurity-advisories@github.com
CWE ID: CWE-1289
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50security-advisories@github.com
Patch
https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8security-advisories@github.com
Release Notes
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xrsecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found