Fluid Attacks Database

Description

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact

The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key.

Patches

The fix uses distinct cache keys for master key and read-only master key.

Workarounds

Avoid using function-typed master keys, or remove the agent configuration block from your dashboard configuration.

Resources

GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr

Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	parse-dashboard	>=7.3.0-alpha.42 <9.0.0-alpha.8	9.0.0-alpha.8

Aliases

1. CVE-2026-276102. NVD-2026-276103. OSV-2026-276104. GHSA-jhp4-jvq3-w5xr5. GCVE-2026-27610

References

1. https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-jhp4-jvq3-w5xr2. https://github.com/parse-community/parse-dashboard/commit/f92a9ef5246d57e51696bd881a15f3b133b2bb503. https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.