CVE-2026-56782
Published: 29 June 2026
Summary
CVE-2026-56782 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40158
Vulnerability details
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user…
more
records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass on public API endpoints directly enables remote exploitation of the app (T1190) to exfiltrate DB contents (T1005) and manipulate/overwrite data (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements on the /api/dump and /api/restore endpoints so that an empty admin_api_key does not grant unauthenticated access.
Requires identification and authentication before allowing access to protected API functions, eliminating the bypass when the default key is empty.
Mandates secure configuration settings that would prevent the insecure default of an empty admin_api_key from being deployed.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248585 OL 8 must require reauthentication when using the "sudo" command. via CWE-306
- V-248827 OL 8 must not have the rsh-server package installed. via CWE-306
RHEL 7 (2 rules)
- V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-306
- V-237635 The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. via CWE-306
RHEL 8 (2 rules)
- V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-306
- V-237643 RHEL 8 must require re-authentication when using the "sudo" command. via CWE-306