Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.0
Parse Dashboard Leaks Master Key to Unauthorized Users
CVE-2026-27610
GHSA-jhp4-jvq3-w5xr
Summary
Parse Dashboard users with read-only access may be able to access the master key, which could compromise the security of your application. To protect your data, update to the latest version of Parse Dashboard, or remove the agent configuration block from your dashboard configuration.
What to do
- Update parseadmin parse-dashboard to version 9.0.0-alpha.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| parseadmin | parse-dashboard | > 7.3.0-alpha.42 , <= 9.0.0-alpha.8 | 9.0.0-alpha.8 |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.3.0 | – |
| parseplatform | parse_dashboard | 7.4.0 | – |
| parseplatform | parse_dashboard | 7.4.0 | – |
| parseplatform | parse_dashboard | 7.4.0 | – |
| parseplatform | parse_dashboard | 7.4.0 | – |
| parseplatform | parse_dashboard | 7.4.0 | – |
| parseplatform | parse_dashboard | 7.5.0 | – |
| parseplatform | parse_dashboard | 7.5.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 7.6.0 | – |
| parseplatform | parse_dashboard | 8.0.0 | – |
| parseplatform | parse_dashboard | 8.0.0 | – |
| parseplatform | parse_dashboard | 8.0.0 | – |
| parseplatform | parse_dashboard | 8.0.0 | – |
| parseplatform | parse_dashboard | 8.0.0 | – |
| parseplatform | parse_dashboard | 8.0.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.0 | – |
| parseplatform | parse_dashboard | 8.1.1 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.2.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.3.0 | – |
| parseplatform | parse_dashboard | 8.4.0 | – |
| parseplatform | parse_dashboard | 8.4.1 | – |
| parseplatform | parse_dashboard | 8.4.1 | – |
| parseplatform | parse_dashboard | 8.5.0 | – |
| parseplatform | parse_dashboard | 8.5.0 | – |
| parseplatform | parse_dashboard | 8.5.0 | – |
| parseplatform | parse_dashboard | 8.5.0 | – |
| parseplatform | parse_dashboard | 8.5.0 | – |
| parseplatform | parse_dashboard | 8.5.0 | – |
| parseplatform | parse_dashboard | 8.5.0 | – |
| parseplatform | parse_dashboard | 9.0.0 | – |
| parseplatform | parse_dashboard | 9.0.0 | – |
| parseplatform | parse_dashboard | 9.0.0 | – |
| parseplatform | parse_dashboard | 9.0.0 | – |
| parseplatform | parse_dashboard | 9.0.0 | – |
| parseplatform | parse_dashboard | 9.0.0 | – |
| parseplatform | parse_dashboard | 9.0.0 | – |
Original title
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Original description
### Impact
The `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key.
### Patches
The fix uses distinct cache keys for master key and read-only master key.
### Workarounds
Avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.
### Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
The `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key.
### Patches
The fix uses distinct cache keys for master key and read-only master key.
### Workarounds
Avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.
### Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
nvd CVSS3.1
5.3
nvd CVSS4.0
7.0
Vulnerability type
CWE-1289
- https://nvd.nist.gov/vuln/detail/CVE-2026-27610
- https://github.com/advisories/GHSA-jhp4-jvq3-w5xr
- https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd... Patch
- https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8 Release Notes
- https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4... Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026