HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56782Published Modified CNA VulnCheck

CVE-2026-56782: Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
0.5.10
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in Gorse, the open-source recommendation system, allows unauthenticated remote attackers to call the /api/dump and /api/restore endpoints without any credentials. The flaw is reachable over the network and requires no authentication because the default configuration leaves admin_api_key empty, which the server treats as no key enforcement. Successful exploitation lets an attacker exfiltrate the entire database or overwrite it wholesale, affecting confidentiality, integrity, and availability. A patched-image rebuild at version 0.5.10 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Gorse. Any image carrying a Gorse version below 0.5.10 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Gorse 0.5.10 becomes available through HarborGuard once the fix version is confirmed against the upstream release. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Gorse API service over the network; the vulnerable endpoints are exposed via HTTP and require no adjacent-network or physical access constraint.

  • AuthenticationNot required

    No credentials are needed because the default configuration sets admin_api_key to an empty string, causing the server to skip all key enforcement on the dump and restore endpoints.

  • Victim interactionNot required

    The attack is fully server-side; no user action, click, or social-engineering step is required to trigger the vulnerability.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker sends a standard HTTP request to the unprotected endpoint and receives a full database dump or overwrites data without needing to satisfy any race condition or environmental prerequisite.

Blast Radius

  • Reads the entire Gorse database, including user records, item catalogs, and behavioral feedback data that contains personally identifiable information.
  • Overwrites the full dataset with attacker-controlled content, corrupting recommendation outputs and any downstream systems that consume them.
  • Causes effective denial of service by replacing or deleting persisted data, rendering the recommendation service non-functional until the dataset is restored.

How HarborGuard Handles This

Available on HarborGuard: images containing Gorse versions below 0.5.10 are matched against this CVE within minutes of advisory ingestion. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at version 0.5.10, runs a regression test pass against the rebuilt image, and opens a pull request against affected workloads. For high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. While the rebuild is in progress or for environments that do not permit auto-remediation, compensating controls include applying a network policy that restricts access to the Gorse API port to trusted internal CIDRs only, setting a non-empty admin_api_key value via environment variable or a secrets manager before the next deployment, and enabling egress filtering to prevent unauthorized data exfiltration from the Gorse process.

See how HarborGuard automates this

Fix available

0.5.10
Patch commits
Affected packages
  • gorse-io / gorse
    < 0.5.10 (from 0)
    Fixed in 0.5.10
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References