PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59805 antiwork CVE debrief

Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController. Authenticated sellers can manipulate purchase access for other sellers' products by sending PUT requests to revoke_access and undo_revoke_access actions without seller ownership validation. This vulnerability allows attackers to modify the is_access_revoked status on arbitrary purchases, potentially leading to unauthorized revocation or restoration of buyer access to products they do not own. The vulnerability has a high CVSS score of 7.1, indicating a high severity level. Security teams and administrators should be aware of this vulnerability and take immediate action to update to version 2026.07.06.2 or later.

Vendor
antiwork
Product
gumroad
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Security teams and administrators of Gumroad should be aware of this vulnerability and take immediate action to update to version 2026.07.06.2 or later. They should review and monitor purchase access for potential unauthorized changes and implement additional access controls and monitoring for the PurchasesController. Operators of affected deployments, platform administrators, and vulnerability management teams should prioritize this vulnerability due to its high severity and potential impact.

Technical summary

The vulnerability exists in the PurchasesController of Gumroad, allowing authenticated sellers to modify the is_access_revoked status on arbitrary purchases. This can lead to unauthorized revocation or restoration of buyer access to products they do not own. The vulnerability is caused by a lack of seller ownership validation for PUT requests to the revoke_access and undo_revoke_access actions. The high CVSS score of 7.1 reflects the potential for significant unauthorized access manipulation. Affected product deployments should be identified, and owners assigned for follow-up.

Defensive priority

High priority due to the high CVSS score of 7.1 and the potential for unauthorized access manipulation.

Recommended defensive actions

  • Update Gumroad to version 2026.07.06.2 or later
  • Review and monitor purchase access for potential unauthorized changes
  • Implement additional access controls and monitoring for the PurchasesController
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD entry provide details on the vulnerability. The source references include GitHub commits, issues, and pull requests related to the fix. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments, review official advisories, and monitor for potential unauthorized changes. Additional details may be available through vendor communications or internal assessments.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:56.250Z and has not been modified since.