CVE-2026-56782

CRITICAL 9.8

Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

CWE	CWE-306
Vendor	gorse-io
Product	gorse
Published	Jun 29, 2026
Last Updated	Jun 29, 2026

Stay Ahead of the Next One

Get instant alerts for gorse-io gorse

Be the first to know when new critical vulnerabilities affecting gorse-io gorse are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

gorse-io / gorse

0 < 0.5.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gorse-io/gorse/issues/1292 github.com: https://github.com/gorse-io/gorse/pull/1293 github.com: https://github.com/gorse-io/gorse/commit/19fdcbb309fb5b609e9cc3eb10c74885b5b27da9 vulncheck.com: https://www.vulncheck.com/advisories/gorse-unauthenticated-database-dump-and-restore-via-api-dump-and-api-restore-endpoints

Credits

George Chen