CVE-2026-56782

Source
https://cve.org/CVERecord?id=CVE-2026-56782
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56782.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56782
Published
2026-06-29T17:16:14.050Z
Modified
2026-07-16T03:31:05.360232001Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints
Details

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when adminapikey is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56782.json",
    "cwe_ids": [
        "CWE-306"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/gorse-io/gorse

Affected ranges

Type
GIT
Repo
https://github.com/gorse-io/gorse
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.5.10"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.0-alpha
v0.5.0-alpha.1
v0.5.0-alpha.2
v0.5.0-alpha.3
v0.5.0-alpha.4
v0.5.0-alpha.5
v0.5.0-alpha.6
v0.5.0-alpha.7
v0.5.0-alpha.8
v0.5.0-rc
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56782.json"