CVE-2026-56782
🟠 Łataj w tym tygodniu
Obejście uwierzytelnienia w Gorse umożliwia zdalny dostęp do bazy danych bez hasła.
CVSS
9.8
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
auth-bypass
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-29 18:16:38 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-29 20:17:39 UTC |
Referencje
- https://github.com/gorse-io/gorse/commit/19fdcbb309fb5b609e9cc3eb10c74885b5b27da9 (disclosure@vulncheck.com)
- https://github.com/gorse-io/gorse/issues/1292 (disclosure@vulncheck.com)
- https://github.com/gorse-io/gorse/pull/1293 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/gorse-unauthenticated-database-dump-and-restore-via-api-dump-and-api-restore-endpoints (disclosure@vulncheck.com)