SB2026060817 - Multiple vulnerabilities in Gitea
Published: June 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-28744)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and modify repository contents.
The vulnerability exists due to incorrect authorization in the Git Smart HTTP authorization path when processing Bearer-authenticated repository operations. A remote user can present a PAT or OAuth2 token as a Bearer credential to disclose sensitive information and modify repository contents.
The issue affects repository-scoped token enforcement only for Bearer or OAuth2 authentication in Git Smart HTTP, while normal repository RBAC for the token owner still applies.
2) Missing Authorization (CVE-ID: CVE-2026-27783)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the issue-template API endpoints when handling requests to read issue-template and issue-config files from the repository default branch. A remote user can send crafted API requests to disclose sensitive information.
The issue affects private repositories when the caller has access to any repository unit, such as the Issues unit, but lacks Code-unit permission.
3) Improper access control (CVE-ID: CVE-2026-20706)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive repository contents.
The vulnerability exists due to improper access control in the /archive/* download endpoint when handling archive download requests with an OAuth2 or personal access token that has only non-repository scope. A remote user can send a crafted request to download a full private repository archive to disclose sensitive repository contents.
The issue affects the web archive download path, while the API archive endpoint is properly scope-checked.
4) Incorrect authorization (CVE-ID: CVE-2026-28699)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass OAuth2 token scope restrictions and perform unauthorized write actions.
The vulnerability exists due to incorrect authorization in services/auth/basic.go and the tokenRequiresScopes middleware in routers/api/v1/api.go when submitting an OAuth2 access token via HTTP Basic authentication instead of a Bearer token. A remote user can send a crafted API request using the token through the Basic authentication path to bypass OAuth2 token scope restrictions and perform unauthorized write actions.
The bypass is limited by the authorizing user's existing repository permissions and does not grant administrative access.
5) Incorrect authorization (CVE-ID: CVE-2026-26231)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to push arbitrary commits to a repository without write access.
The vulnerability exists due to incorrect authorization in the pull request creation and pre-receive authorization logic when creating a reverse-fork pull request with "Allow edits from maintainers" enabled and then pushing over HTTP or SSH. A remote user can create a crafted reverse-fork pull request and push commits to bypass write-access checks and push arbitrary commits to a repository without write access.
Exploitation requires read access to the target repository and the vulnerable authorization path is triggered when the proc-receive support is enabled.
6) Missing Authorization (CVE-ID: CVE-2026-25714)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the /user/orgs API endpoint when handling requests made with a public-only scoped API token. A remote user can send a request to the endpoint to disclose sensitive information.
The issue exposes private and limited-visibility organizations that belong to the token owner.
Remediation
Install update from vendor's website.
References
- https://github.com/go-gitea/gitea/security/advisories/GHSA-cc8w-r4qh-3v65
- https://github.com/go-gitea/gitea/security/advisories/GHSA-3fwp-p5rj-2pxf
- https://github.com/go-gitea/gitea/security/advisories/GHSA-cr4g-f395-h25h
- https://github.com/go-gitea/gitea/security/advisories/GHSA-9r5x-wg6m-x2rc
- https://github.com/go-gitea/gitea/security/advisories/GHSA-mm7c-rhg6-qr4r
- https://github.com/go-gitea/gitea/blob/v1.25.5/models/issues/pull_list.go#L72
- https://github.com/go-gitea/gitea/security/advisories/GHSA-8629-vc8r-5p58