Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
- Severity:
- High
Description
The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key.
Recommendation
Update the parse-dashboard package to the latest compatible version. Followings are version details:
- Affected version(s): >= 7.3.0-alpha.42, < 9.0.0-alpha.8
- Patched version(s): 9.0.0-alpha.8
References
Related Issues
- Parse Dashboard has incomplete authentication on AI Agent endpoint - CVE-2026-27595
- Parse Dashboard is Missing CSRF Protection for its Agent Endpoint - CVE-2026-27609
- Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes - CVE-2026-31800
- Parse Dashboard is Missing Authorization for its Agent Endpoint - CVE-2026-27608
- Tags:
- npm
- parse-dashboard
Anything's wrong? Let us know Last updated on February 25, 2026