The vulnerability identified as CVE-2026-27610 affects parse-dashboard, a management interface for Parse Server applications. The root cause is improper validation of unsafe equivalence in input related to cache key generation within the ConfigKeyCache component. Specifically, from versions 7.3.0-alpha.42 up to but not including 9.0.0-alpha.8, the system uses the same cache key for both the master key and the read-only master key when resolving function-typed keys. Under certain timing conditions, this leads to a race condition where a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. This results in unauthorized disclosure of sensitive keys, enabling privilege escalation and potential full control over the Parse Server environment. The vulnerability is classified under CWE-1289, which involves improper validation of unsafe equivalence in input, leading to security bypasses. The fix implemented in version 9.0.0-alpha.8 separates cache keys for master and read-only master keys, eliminating the collision. As a temporary mitigation, users are advised to avoid function-typed master keys or remove the agent configuration block from their dashboard configuration to prevent the caching issue. The CVSS 4.0 score is 7.0, reflecting a high severity with network attack vector, high impact on integrity and confidentiality, and requiring low privileges and partial authentication. No known exploits have been reported in the wild to date.

This vulnerability poses a significant risk to organizations using parse-dashboard to manage Parse Server applications. The unauthorized disclosure of master keys can lead to full compromise of the backend environment, including data exfiltration, unauthorized data modification, and potential disruption of services. Since master keys grant unrestricted access, attackers exploiting this flaw could bypass all access controls, leading to severe confidentiality and integrity breaches. The timing-based nature of the vulnerability may limit exploitation complexity but does not eliminate the risk, especially in environments with multiple users and concurrent access. Organizations relying on parse-dashboard for critical applications, especially those handling sensitive or regulated data, face increased risk of data breaches and operational impact. The lack of user interaction requirement and network attack vector make remote exploitation feasible, increasing the threat surface. Although no exploits are currently known in the wild, the public disclosure and availability of details may prompt attackers to develop exploits, increasing urgency for remediation.

To mitigate this vulnerability, organizations should immediately upgrade parse-dashboard to version 9.0.0-alpha.8 or later, where the issue is fixed by using distinct cache keys for master and read-only master keys. Until an upgrade is possible, avoid using function-typed master keys, as they trigger the caching flaw. Additionally, removing the 'agent' configuration block from the dashboard configuration can serve as a temporary workaround to prevent the caching collision. Organizations should audit their parse-dashboard configurations to identify use of function-typed master keys and the agent block. Implement strict access controls and monitoring on parse-dashboard instances to detect unusual access patterns or privilege escalations. Regularly review and rotate master keys to limit exposure if compromise occurs. Finally, maintain awareness of updates from the parse-community project and apply patches promptly to reduce risk.