Description
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
Published: 2026-06-29
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gorse versions prior to 0.5.10 contain a direct authentication bypass (CWE‑306) in the /api/dump and /api/restore endpoints. Because admin_api_key is empty by default, an unauthenticated attacker can execute these protected operations. The attacker can extract the entire database, including user identities, items, and feedback data, or can overwrite it completely, effectively deleting or corrupting the system’s data. This leads to significant confidentiality and integrity compromise, exposing personally identifiable information and potentially eliminating all stored information.

Affected Systems

The vulnerability affects Gorse software from gorse‑io, specifically any release before 0.5.10 where the admin_api_key is not set. Affected installations include all releases that have the default empty key. Users running these older versions without configuring a custom admin_api_key are exposed.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical level of risk. The EPSS score is not available, and Gorse is not listed in CISA KEV, but the vulnerability allows remote attackers to perform the exploit via unauthenticated HTTP requests to the exposed endpoints. Because the default configuration requires no credentials, the attack is trivially executable over the network, making the exploit path both likely and easy to execute.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Gorse to version 0.5.10 or later to remove the vulnerability.
  • If upgrading is not immediately possible, configure a non‑empty admin_api_key to secure the /api/dump and /api/restore endpoints.
  • Restrict incoming traffic to the API ports to a known set of IP addresses or network segments using firewall rules or a reverse‑proxy configuration to block unauthenticated requests from the broader Internet.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Gorse-io
Gorse-io gorse
Vendors & Products Gorse-io
Gorse-io gorse

Mon, 29 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
Title Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T11:15:43.114Z

Reserved: 2026-06-23T01:24:27.650Z

Link: CVE-2026-56782

cve-icon Vulnrichment

Updated: 2026-06-29T19:41:29.336Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:06Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function