DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27610: Key Swap: How Parse Dashboard Handed Admin Keys to Guests via Cache Collision

#security #cve #cybersecurity

Key Swap: How Parse Dashboard Handed Admin Keys to Guests via Cache Collision

Vulnerability ID: CVE-2026-27610
CVSS Score: 7.0
Published: 2026-02-25

A critical race condition and cache collision vulnerability exists in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7. The flaw lies within the configuration caching mechanism for dynamic master keys. When an application configures its masterKey as a function (for rotation or retrieval purposes), the dashboard caches the result. However, the cache key failed to differentiate between a full administrative session and a read-only session. This allows a read-only user to inherit the cached full master key if an administrator has recently accessed the dashboard, leading to immediate privilege escalation and potential data destruction.

TL;DR

If you use dynamic master keys (functions) in Parse Dashboard, your cache is confused. If an admin logs in, the 'God Mode' key is cached. If a read-only user logs in immediately after, they get served that same God Mode key from the cache. Patch to 9.0.0-alpha.8 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1289 (Improper Validation of Unsafe Equivalence)
  • CVSS v4.0: 7.0 (High)
  • Attack Vector: Network (Remote)
  • Attack Complexity: High (Requires timing/race condition)
  • Privileges Required: Low (Read-only account)
  • Exploit Maturity: PoC / Functional

Affected Systems

  • Parse Dashboard 7.3.0-alpha.42 through 9.0.0-alpha.7
  • parse-dashboard: >= 7.3.0-alpha.42 < 9.0.0-alpha.8 (Fixed in: 9.0.0-alpha.8)

Code Analysis

Commit: f92a9ef

Fix cache key collision and improve Agent auth checks

const cacheKey = matchingAccess.readOnly ? 'readOnlyMasterKey' : 'masterKey';
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Integration tests demonstrating the vulnerability logic and fix.

Mitigation Strategies

  • Upgrade to patched version
  • Replace dynamic function-based keys with static strings
  • Network isolation of the dashboard

Remediation Steps:

  1. Update parse-dashboard dependency to 9.0.0-alpha.8 or newer.
  2. Verify configuration files to ensure masterKey is not defined as a function if upgrade is impossible.
  3. Restart the Parse Dashboard service to flush existing caches.

References

Read the full report for CVE-2026-27610 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)