CVE-2025-70963 in Gophish
Summary
by MITRE • 02/06/2026
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/11/2026
The vulnerability identified as CVE-2025-70963 affects Gophish versions 0.12.1 and earlier, representing a critical access control flaw that fundamentally compromises the security posture of the phishing simulation platform. This issue stems from improper handling of administrative credentials within the web interface, where the system fails to enforce proper authorization checks for sensitive data exposure. The flaw exists in the administrative dashboard component that manages user accounts and API access, creating an environment where privileged information becomes readily accessible to unauthorized parties through client-side means.
The technical implementation of this vulnerability manifests through the direct embedding of long-lived API keys within the HTML and JavaScript source code of the administrative dashboard page. When users authenticate and access the dashboard, the system renders these sensitive credentials as plain text within the browser context, bypassing standard security mechanisms that should prevent such exposure. This design flaw allows any malicious script executed within the same browser session to access these API keys through DOM traversal methods or direct script execution, effectively providing attackers with persistent administrative access to the Gophish platform.
The operational impact of this vulnerability extends far beyond simple credential exposure, as it enables attackers to maintain persistent access to the phishing platform without requiring additional authentication factors or session management. Once an attacker obtains these long-lived API keys, they can perform any administrative action within the Gophish environment, including creating new campaigns, modifying existing phishing templates, accessing collected phishing data, and potentially escalating their access to other connected systems. The permanent nature of these API keys means that even if users log out or sessions expire, the credentials remain accessible to anyone who can execute scripts in the browser context, making this a particularly dangerous vulnerability for environments where the administrative dashboard may be accessed by multiple users or where browser-based attacks are possible.
This vulnerability aligns with CWE-284 which describes improper access control mechanisms, specifically targeting the exposure of sensitive information through inadequate authorization enforcement. The flaw also maps to ATT&CK technique T1566 which covers phishing campaigns, as the compromised API keys could be used to create more sophisticated and persistent phishing operations. Additionally, the exposure of API keys through client-side rendering represents a violation of the principle of least privilege, where sensitive administrative credentials are unnecessarily exposed to the browser environment where they could be accessed by malicious scripts or compromised user sessions.
Mitigation strategies for this vulnerability require immediate implementation of server-side rendering of sensitive information, ensuring that API keys are never transmitted to client-side environments unless absolutely necessary and properly secured. Organizations should implement proper access controls that prevent the direct exposure of administrative credentials in browser contexts, requiring all API key access to occur through secure server-side authentication mechanisms. The recommended remediation includes upgrading to Gophish versions that address this access control flaw, implementing proper input validation and output encoding for all dashboard components, and establishing strict browser security policies that prevent unauthorized script execution. Additionally, organizations should conduct comprehensive security reviews of all web applications to identify similar exposure patterns and implement proper credential management practices that ensure sensitive information is never rendered in client-side contexts without appropriate security measures.