Access Control Flaw in Gophish by Gophish Team
CVE-2025-70963

7.6HIGH

Key Information:

Vendor: Gophish Team
Status: Gophish
Vendor: CVE Published:; 6 February 2026

🔔 Create Gophish Team Vulnerability Alert

What is CVE-2025-70963?

Gophish version 0.12.1 and earlier has a significant vulnerability involving incorrect access control. The administrative dashboard unintentionally exposes users' long-lived API keys in the rendered HTML and JavaScript upon each login. This oversight allows malicious scripts running in the user's browser to access permanent API credentials, potentially compromising user accounts and sensitive data. It is vital for users to upgrade to a patched version to mitigate the risk associated with this vulnerability.

References

https://github.com/gophish/gophish/issues/9366

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2025-70963 Data

JSON