CVE-2026-56782: Missing Authentication for Critical Function in gorse-io gorse
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
AI Analysis
Technical Summary
CVE-2026-56782 describes an authentication bypass vulnerability in gorse versions before 0.5.10. The issue occurs because the /api/dump and /api/restore endpoints do not require authentication if the admin_api_key configuration is empty, which is the default. This allows remote attackers to access protected functionality without credentials, enabling them to extract or overwrite the entire database, including personally identifiable information stored in user records, items, and feedback data.
Potential Impact
An attacker can remotely bypass authentication controls and gain full access to critical API endpoints. This leads to complete data exfiltration of sensitive information and the ability to overwrite the entire dataset, causing data loss or manipulation. The impact is critical due to the exposure of personally identifiable information and the potential for destructive data modification.
Mitigation Recommendations
No official patch or fix is currently confirmed. Users should immediately configure a non-empty admin_api_key to enforce authentication on the /api/dump and /api/restore endpoints. Monitor the vendor advisory for updates on official remediation or patches. Until then, restricting access to these endpoints and setting a strong admin_api_key is essential to mitigate exploitation.
CVE-2026-56782: Missing Authentication for Critical Function in gorse-io gorse
Description
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
CVSS v4.0
Score 9.3critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-56782 describes an authentication bypass vulnerability in gorse versions before 0.5.10. The issue occurs because the /api/dump and /api/restore endpoints do not require authentication if the admin_api_key configuration is empty, which is the default. This allows remote attackers to access protected functionality without credentials, enabling them to extract or overwrite the entire database, including personally identifiable information stored in user records, items, and feedback data.
Potential Impact
An attacker can remotely bypass authentication controls and gain full access to critical API endpoints. This leads to complete data exfiltration of sensitive information and the ability to overwrite the entire dataset, causing data loss or manipulation. The impact is critical due to the exposure of personally identifiable information and the potential for destructive data modification.
Mitigation Recommendations
No official patch or fix is currently confirmed. Users should immediately configure a non-empty admin_api_key to enforce authentication on the /api/dump and /api/restore endpoints. Monitor the vendor advisory for updates on official remediation or patches. Until then, restricting access to these endpoints and setting a strong admin_api_key is essential to mitigate exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-23T01:24:27.650Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a42b42727e9c7971940f829
Added to database: 06/29/2026, 18:06:31 UTC
Last enriched: 06/29/2026, 18:21:55 UTC
Last updated: 06/29/2026, 23:57:59 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.