Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint with default empty key gives AV:N/AC:L/PR:N/UI:N; /api/dump exposes all data (C:H) while /api/restore overwrites the dataset (I:H, A:H).
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
AnalysisAI
Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two concrete conditions, both satisfied by default: (1) the Gorse HTTP API must be network-reachable by the attacker, and (2) admin_api_key must be empty - which is the shipped default configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to genuine high priority on exposed instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for internet-exposed Gorse instances and sends an unauthenticated GET to /api/dump, receiving the entire dataset - user records, items, and feedback containing PII - in a single response. The same actor can then POST to /api/restore to overwrite the production dataset with poisoned or empty data, corrupting recommendations or destroying the database. … |
| Remediation | Vendor-released patch: upgrade to Gorse 0.5.10 or later, which corrects the empty-key authentication bypass on /api/dump and /api/restore (PR #1293, commit 19fdcbb). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Gorse deployments and verify if admin_api_key is configured in production environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40158
GHSA-65p2-39gr-3m25