CVE-2026-56782 | Gorse before 0.5.10 contains an authentication bypass vulner… | CVSS 9.8 CRITICAL

Description

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

Metadata

CVE ID: CVE-2026-56782
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-23 01:24 UTC
Published: 2026-06-29 17:16 UTC
Last updated: 2026-06-29 19:41 UTC
Primary CWE: CWE-306
Missing Authentication for Critical Function
Vendor / Product: gorse-io / gorse
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
gorse-io	gorse	—	0 < 0.5.10, 0.5.10

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	Missing Authentication for Critical Function

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)

Researcher Disclosure https://github.com/gorse-io/gorse/issues/1292
Pull Request https://github.com/gorse-io/gorse/pull/1293
Patch Commit https://github.com/gorse-io/gorse/commit/19fdcbb309fb5b609e9cc3eb10c74885b5b27da9
https://www.vulncheck.com/advisories/gorse-unauthenticated-database-dump-and-restore-via-api-dump-and-api-restore-endpoints