Impact
Gorse versions prior to 0.5.10 contain a direct authentication bypass (CWE‑306) in the /api/dump and /api/restore endpoints. Because admin_api_key is empty by default, an unauthenticated attacker can execute these protected operations. The attacker can extract the entire database, including user identities, items, and feedback data, or can overwrite it completely, effectively deleting or corrupting the system’s data. This leads to significant confidentiality and integrity compromise, exposing personally identifiable information and potentially eliminating all stored information.
Affected Systems
The vulnerability affects Gorse software from gorse‑io, specifically any release before 0.5.10 where the admin_api_key is not set. Affected installations include all releases that have the default empty key. Users running these older versions without configuring a custom admin_api_key are exposed.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical level of risk. The EPSS score is not available, and Gorse is not listed in CISA KEV, but the vulnerability allows remote attackers to perform the exploit via unauthenticated HTTP requests to the exposed endpoints. Because the default configuration requires no credentials, the attack is trivially executable over the network, making the exploit path both likely and easy to execute.
OpenCVE Enrichment