PT-2026-56567 · Antiwork · Gumroad
George Chen
·
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-59805
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke access and undo revoke access actions without seller ownership validation. Attackers can modify the is access revoked status on arbitrary purchases to unauthorized revoke or restore buyer access to products they do not own.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gumroad