PT-2026-56567 · Antiwork · Gumroad

George Chen

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-59805

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke access and undo revoke access actions without seller ownership validation. Attackers can modify the is access revoked status on arbitrary purchases to unauthorized revoke or restore buyer access to products they do not own.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59805

Affected Products

Gumroad