AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-jhp4-jvq3-w5xr: Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 25, 2026CVE-2026-27610

Summary

Parse Dashboard has a cache key collision bug where the same storage identifier is used for both the master key (full access) and read-only master key (limited access) when resolving function-typed keys. Under specific timing conditions, a read-only user could receive the full master key, or a regular user could receive the read-only master key, leaking access privileges to the wrong user type.

Solution / Mitigation

The patch uses distinct cache keys for master key and read-only master key. As workarounds, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration. This issue is fixed in version 9.0.0-alpha.8 or later.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Affected Packages

parse-dashboard@>= 7.3.0-alpha.42, < 9.0.0-alpha.8 (fixed: 9.0.0-alpha.8)

Original source: https://github.com/advisories/GHSA-jhp4-jvq3-w5xr

First tracked: February 25, 2026 at 03:00 PM

Classified by LLM (prompt v3) · confidence: 95%