PT-2026-21838 · Parse · Parse-Dashboard
Mtrezza
·
Published
2026-02-25
·
Updated
2026-02-25
·
CVE-2026-27610
CVSS v4.0
7.0
High
| Vector | AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7
Description
The
ConfigKeyCache component within Parse Dashboard incorrectly utilizes the same cache key for both master key and read-only master key when resolving function-typed keys. This can lead to a read-only user gaining access to the full master key, or a regular user receiving the cached read-only master key under specific timing conditions. To mitigate this, avoid using function-typed master keys or remove the agent configuration block from your dashboard configuration.Recommendations
Update to version 9.0.0-alpha.8 or later.
Avoid using function-typed master keys.
Remove the
agent configuration block from your dashboard configuration.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse-Dashboard