Cyber Resilience

CVE-2026-56782

CriticalPublic PoC

Published: 29 June 2026

Published
29 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0302 85.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-56782 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user…

more

records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Auth bypass on public API endpoints directly enables remote exploitation of the app (T1190) to exfiltrate DB contents (T1005) and manipulate/overwrite data (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25224Shared CWE-306
CVE-2024-13186Shared CWE-306
CVE-2026-34732Shared CWE-306
CVE-2025-43428Shared CWE-306
CVE-2026-8602Shared CWE-306
CVE-2025-30111Shared CWE-306
CVE-2026-46612Shared CWE-306
CVE-2025-8861Shared CWE-306
CVE-2026-32646Shared CWE-306
CVE-2026-41473Shared CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements on the /api/dump and /api/restore endpoints so that an empty admin_api_key does not grant unauthenticated access.

prevent

Requires identification and authentication before allowing access to protected API functions, eliminating the bypass when the default key is empty.

prevent

Mandates secure configuration settings that would prevent the insecure default of an empty admin_api_key from being deployed.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248585 OL 8 must require reauthentication when using the "sudo" command. via CWE-306
  • V-248827 OL 8 must not have the rsh-server package installed. via CWE-306
RHEL 7 (2 rules)
  • V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-306
  • V-237635 The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. via CWE-306
RHEL 8 (2 rules)
  • V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-306
  • V-237643 RHEL 8 must require re-authentication when using the "sudo" command. via CWE-306

References