Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gorse-io
Gorse-io gorse |
|
| Vendors & Products |
Gorse-io
Gorse-io gorse |
Mon, 29 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 29 Jun 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication. | |
| Title | Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints | |
| Weaknesses | CWE-306 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-29T17:16:14.050Z
Updated: 2026-06-30T11:15:43.114Z
Reserved: 2026-06-23T01:24:27.650Z
Link: CVE-2026-56782
Updated: 2026-06-29T19:41:29.336Z
No data.
No data.