CVE-2026-59805
Gumroad < 2026.07.06.2 - Insecure Direct Object Reference in PurchasesController
CVSS Score
6.5
EPSS Score
0.2%
EPSS Percentile
13th
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke_access and undo_revoke_access actions without seller ownership validation. Attackers can modify the is_access_revoked status on arbitrary purchases to unauthorized revoke or restore buyer access to products they do not own.
| CWE | CWE-862 |
| Vendor | antiwork |
| Product | gumroad |
| Published | Jul 8, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for antiwork gumroad
Be the first to know when new medium vulnerabilities affecting antiwork gumroad are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
antiwork / gumroad
0 < 2026.07.06.2
References
github.com: https://github.com/antiwork/gumroad/issues/5725 github.com: https://github.com/antiwork/gumroad/releases/tag/v2026.07.06.2 github.com: https://github.com/antiwork/gumroad/pull/5731 github.com: https://github.com/antiwork/gumroad/commit/e7fd0e610e73135ecf1aa07c197a36fa524832e1 vulncheck.com: https://www.vulncheck.com/advisories/gumroad-insecure-direct-object-reference-in-purchasescontroller
Credits
George Chen