CVE-2026-59805 in Gumroad
Summary
by MITRE • 07/08/2026
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke_access and undo_revoke_access actions without seller ownership validation. Attackers can modify the is_access_revoked status on arbitrary purchases to unauthorized revoke or restore buyer access to products they do not own.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
This vulnerability represents a critical broken access control flaw in Gumroad's purchase management system that undermines the fundamental security boundaries between seller accounts. The issue exists within the PurchasesController component where the revoke_access and undo_revoke_access endpoints lack proper validation to ensure that sellers only operate on their own products. The vulnerability stems from insufficient authorization checks that should verify seller ownership before allowing modifications to purchase access status. This flaw directly violates the principle of least privilege and allows authenticated attackers to escalate their privileges through manipulation of purchase records.
The technical implementation of this vulnerability enables attackers to exploit the PUT request endpoints by crafting malicious requests that target specific purchase identifiers regardless of product ownership. When a seller sends a request to revoke or restore access to a purchase, the system fails to validate whether the requesting seller has legitimate ownership rights over the associated product. This validation gap creates a path for privilege escalation where unauthorized sellers can modify access controls for products belonging to other sellers. The vulnerability exists across all versions prior to 2026.07.06.2 and affects the core purchase management functionality that governs buyer access permissions.
The operational impact of this vulnerability extends beyond simple data manipulation as it compromises the integrity of the entire commerce ecosystem within Gumroad's platform. Attackers can potentially revoke legitimate buyer access to products they do not own, effectively locking out customers from purchases they have legitimately made. Conversely, attackers could restore access to products they don't own, allowing unauthorized individuals to gain access to premium content or services. This creates a significant risk for both sellers who lose control over their product distribution and buyers who face potential loss of purchased content or fraudulent access.
From a cybersecurity perspective, this vulnerability aligns with CWE-285 which addresses improper authorization scenarios in software systems. The flaw represents an authorization bypass that allows attackers to perform actions outside their designated permissions, creating a pathway for data manipulation and potential financial loss. Additionally, this vulnerability maps to ATT&CK technique T1078 which covers valid accounts usage, as it exploits legitimate seller accounts to perform unauthorized operations within the system. The attack vector requires minimal complexity since attackers only need valid seller authentication credentials to exploit this flaw.
Mitigation strategies should focus on implementing robust authorization checks that validate seller ownership before processing access modification requests. The system must enforce strict validation of product ownership through database queries that cross-reference seller identifiers with purchase records. Additionally, logging and monitoring mechanisms should be enhanced to detect unusual patterns in access control modifications, particularly when multiple sellers attempt to modify the same purchase record. Regular security audits should verify that all endpoints properly validate user permissions and that access control logic prevents unauthorized operations on foreign resources. The fix should include comprehensive input validation and ensure that all seller-facing purchase management functions require explicit ownership verification before executing any access modification operations.