Skip to main content

Gorse CVE-2026-56782

| EUVDEUVD-2026-40158 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-29 disclosure@vulncheck.com GHSA-65p2-39gr-3m25
9.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Network-reachable endpoint with default empty key gives AV:N/AC:L/PR:N/UI:N; /api/dump exposes all data (C:H) while /api/restore overwrites the dataset (I:H, A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 19:01 EUVD
Analysis Generated
Jun 29, 2026 - 18:32 vuln.today

DescriptionCVE.org

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

AnalysisAI

Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Gorse API
Delivery
Send unauthenticated GET /api/dump
Exploit
Bypass empty admin_api_key check
Execution
Exfiltrate full dataset with PII
Impact
POST /api/restore to overwrite data

Vulnerability AssessmentAI

Exploitation Two concrete conditions, both satisfied by default: (1) the Gorse HTTP API must be network-reachable by the attacker, and (2) admin_api_key must be empty - which is the shipped default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuine high priority on exposed instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for internet-exposed Gorse instances and sends an unauthenticated GET to /api/dump, receiving the entire dataset - user records, items, and feedback containing PII - in a single response. The same actor can then POST to /api/restore to overwrite the production dataset with poisoned or empty data, corrupting recommendations or destroying the database. …
Remediation Vendor-released patch: upgrade to Gorse 0.5.10 or later, which corrects the empty-key authentication bypass on /api/dump and /api/restore (PR #1293, commit 19fdcbb). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Gorse deployments and verify if admin_api_key is configured in production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy