HIGH
antiwork
CVE published 2026-07-08
CVE-2026-59805
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController. Authenticated sellers can manipulate purchase access for other sellers' products by sending PUT requests to revoke_access and undo_revoke_access actions without seller ownership validation. This vulnerability allows attackers to modify the is_access_revoked status on arbitrary purchases, potentially lead [truncated]