CVE-2026-59805: Missing Authorization in antiwork gumroad
Gumroad versions prior to 2026.07.06.2 have a broken access control vulnerability in the PurchasesController. Authenticated sellers can send unauthorized PUT requests to revoke or restore buyer access to products they do not own. This allows manipulation of the is_access_revoked status on arbitrary purchases without proper ownership validation.
AI Analysis
Technical Summary
CVE-2026-59805 describes a broken access control vulnerability in the PurchasesController of Gumroad before version 2026.07.06.2. Authenticated sellers can exploit this flaw by sending PUT requests to the revoke_access and undo_revoke_access endpoints to modify the is_access_revoked status on purchases belonging to other sellers. The vulnerability arises because the application fails to validate seller ownership before allowing these actions, enabling unauthorized revocation or restoration of buyer access to products.
Potential Impact
An attacker with authenticated seller privileges can revoke or restore buyer access to products they do not own. This could disrupt legitimate buyers' access to purchased products or restore access improperly, potentially causing financial and reputational damage to affected sellers. The vulnerability does not require user interaction and has a low attack complexity, making exploitation feasible by authorized sellers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict seller permissions where possible and monitor for suspicious activity related to purchase access modifications. Avoid granting unnecessary privileges to sellers that could allow abuse of these endpoints.
CVE-2026-59805: Missing Authorization in antiwork gumroad
Description
Gumroad versions prior to 2026.07.06.2 have a broken access control vulnerability in the PurchasesController. Authenticated sellers can send unauthorized PUT requests to revoke or restore buyer access to products they do not own. This allows manipulation of the is_access_revoked status on arbitrary purchases without proper ownership validation.
CVSS v4.0
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-59805 describes a broken access control vulnerability in the PurchasesController of Gumroad before version 2026.07.06.2. Authenticated sellers can exploit this flaw by sending PUT requests to the revoke_access and undo_revoke_access endpoints to modify the is_access_revoked status on purchases belonging to other sellers. The vulnerability arises because the application fails to validate seller ownership before allowing these actions, enabling unauthorized revocation or restoration of buyer access to products.
Potential Impact
An attacker with authenticated seller privileges can revoke or restore buyer access to products they do not own. This could disrupt legitimate buyers' access to purchased products or restore access improperly, potentially causing financial and reputational damage to affected sellers. The vulnerability does not require user interaction and has a low attack complexity, making exploitation feasible by authorized sellers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict seller permissions where possible and monitor for suspicious activity related to purchase access modifications. Avoid granting unnecessary privileges to sellers that could allow abuse of these endpoints.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-07-07T14:39:14.062Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4eafe9c9d9e3dbe3adea95
Added to database: 07/08/2026, 20:15:37 UTC
Last enriched: 07/08/2026, 20:28:15 UTC
Last updated: 07/08/2026, 21:57:18 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.