SB2026062240 - Multiple vulnerabilities in Gitea
Published: June 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-27761)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information from private repository commit feeds.
The vulnerability exists due to incorrect authorization in repository RSS/Atom feed handlers when handling feed requests authenticated with a personal access token that lacks repository scope. A remote user can send a request to repository feed endpoints using a non-repository-scoped token to disclose sensitive information from private repository commit feeds.
Feeds must be enabled, and the issue affects private repositories the token owner is permitted to read. Exposed data can include commit SHAs, full commit messages, and committer names and email addresses.
2) Improper access control (CVE-ID: CVE-2026-24451)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the POST /api/v1/repos/{owner}/{repo}/merge-upstream endpoint when synchronizing a fork with its parent repository after the parent repository has been changed from public to private. A remote user can call the merge-upstream API on a previously created fork to disclose sensitive information.
The issue only affects repositories that were forked while the parent repository was public, and only content synchronized into the fork after the visibility change becomes exposed.
3) Missing Authorization (CVE-ID: CVE-2026-25038)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the Organization Labels API endpoints when handling requests for labels of private organizations. A remote user can send crafted API requests to disclose sensitive information.
The issue is limited to read access through GET /api/v1/orgs/{org}/labels and GET /api/v1/orgs/{org}/labels/{id}. No unauthorized modification of labels was observed.
4) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-20779)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass one-time password replay protections and create multiple authenticated sessions.
The vulnerability exists due to a time-of-check time-of-use race condition in the web 2fa login and password-reset 2fa re-auth handlers when processing parallel submissions of the same totp passcode. A remote attacker can send parallel requests with the same captured passcode to bypass one-time password replay protections and create multiple authenticated sessions.
User interaction is required because the victim must complete a login flow that supplies a live totp value.
5) Incorrect authorization (CVE-ID: CVE-2026-27775)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain full repository write access.
The vulnerability exists due to incorrect authorization in the pre-receive hook permission check in routers/private/hook_pre_receive.go when processing a multi-ref git push. A remote user can push a branch with a legitimate per-branch write grant together with additional refs in one batch to gain full repository write access.
User interaction is required because the victim must enable "Allow edits from maintainers" on a pull request.
6) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-28740)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in the Git LFS upload/object reuse path when reusing an existing Git LFS object from a private source repository. A remote user can associate a known Git LFS object from the source repository with a target repository to disclose sensitive information.
Exploitation requires Code write access to a target repository, non-Code access such as Issues access to a private source repository, and knowledge of an existing Git LFS object OID and size.
7) Improper access control (CVE-ID: CVE-2026-20896)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to impersonate arbitrary users.
The vulnerability exists due to improper access control in reverse proxy authentication handling when processing the X-WEBAUTH-USER header from direct HTTP requests. A remote attacker can send a specially crafted request with an X-WEBAUTH-USER header to impersonate arbitrary users.
Only Docker image deployments are affected, and exploitation requires ENABLE_REVERSE_PROXY_AUTHENTICATION to be enabled.
8) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-22874)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information from internal services via server-side request forgery.
The vulnerability exists due to server-side request forgery in the HostMatchList.checkIP allow-list filter when processing webhook delivery or repository migration destinations. A remote user can send a request to a specially crafted internal destination to disclose sensitive information from internal services via server-side request forgery.
Webhook delivery captures the response status, headers, and up to 1 MiB of response body and renders them in the webhook history UI, making the SSRF non-blind.
Remediation
Install update from vendor's website.
References
- https://github.com/go-gitea/gitea/security/advisories/GHSA-3pww-vcvm-3gmj
- https://github.com/go-gitea/gitea/security/advisories/GHSA-wrf9-r3h7-7x5v
- https://anonymous.4open.science/r/Gitea_PoC-EC93/4_poc_merge_upstream
- https://github.com/go-gitea/gitea/security/advisories/GHSA-v73x-hx65-6pf4
- https://anonymous.4open.science/r/Gitea_PoC-EC93/2_poc_private_org_labels_leak
- https://github.com/go-gitea/gitea/security/advisories/GHSA-gx3v-q759-g323
- https://github.com/go-gitea/gitea/pull/3878
- https://github.com/go-gitea/gitea/security/advisories/GHSA-649p-mmhf-85c7
- https://github.com/go-gitea/gitea
- https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq
- https://github.com/go-gitea/gitea/commit/dac41a124fd34820a3c8caf3b3592ba62cd514ff
- https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4
- https://github.com/go-gitea/gitea/security/advisories/GHSA-2r5c-gw76-rh3w
- https://github.com/go-gitea/gitea/blob/4c37f4dacbac022f7beca75272439331f0368830/modules/hostmatcher/hostmatcher.go#L96-L114