CVE-2026-56782 CRITICAL

CVE-2026-56782: Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints

Vendor Gorse-Io
Product gorse
Weakness CWE-306 · Missing auth
Published June 29, 2026
Last update June 30, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 30, 2026 Record updated