CVE Catalog

CVE-2026-56782

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

A vulnerability in Gorse before version 0.5.10 allows authentication bypass in the /api/dump and /api/restore endpoints. Unauthenticated attackers can exfiltrate the entire database containing personally identifiable information or completely overwrite the dataset.

Risk Assessment

The risk involves potential theft of sensitive personal data (PII) and complete loss of data integrity, which may lead to privacy breaches and serious legal consequences.

Recommendation

Immediately upgrade Gorse to version 0.5.10 or later and configure a non-empty password for admin_api_key to prevent unauthorized access.

Original NVD description (English source)

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS