Main Vulnerability Database Vulnerabilities #VU133470

Missing Authorization in Gitea - CVE-2026-27783

Published: June 8, 2026

Vulnerability identifier: #VU133470

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-27783

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Gitea Authors

Affected software:
Gitea

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in the issue-template API endpoints when handling requests to read issue-template and issue-config files from the repository default branch. A remote user can send crafted API requests to disclose sensitive information.

The issue affects private repositories when the caller has access to any repository unit, such as the Issues unit, but lacks Code-unit permission.

How to mitigate CVE-2026-27783

Install security update from vendor's website.

Sources

https://github.com/go-gitea/gitea/security/advisories/GHSA-3fwp-p5rj-2pxf

Missing Authorization in Gitea - CVE-2026-27783

Detailed vulnerability description

How to mitigate CVE-2026-27783

Sources

Please verify you're human