CVE-2026-27610

Description

### Impact The `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. ### Patches The fix uses distinct cache keys for master key and read-only master key. ### Workarounds Avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration. ### Resources - GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr - Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

How to fix CVE-2026-27610

To remediate CVE-2026-27610, upgrade the affected package to a fixed version below.

• —upgrade to 9.0.0-alpha.8 or later

Is CVE-2026-27610 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 7.3.0-alpha.42, < 9.0.0-alpha.8

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-27610
• PATCHgithub.com/parse-community/parse-dashboard
• WEBgithub.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb50
• WEBgithub.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8