Description
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke_access and undo_revoke_access actions without seller ownership validation. Attackers can modify the is_access_revoked status on arbitrary purchases to unauthorized revoke or restore buyer access to products they do not own.
Problem types
Product status
Any version before 2026.07.06.2
Credits
George Chen
References
github.com/antiwork/gumroad/issues/5725 (Researcher Disclousure)
github.com/antiwork/gumroad/releases/tag/v2026.07.06.2 (Release Notes)
github.com/antiwork/gumroad/pull/5731 (Fix PR)
github.com/...ommit/e7fd0e610e73135ecf1aa07c197a36fa524832e1 (Fix Commit)
www.vulncheck.com/...object-reference-in-purchasescontroller