Main Vulnerability Database Vulnerabilities #VU133472

Incorrect authorization in Gitea - CVE-2026-28699

Published: June 8, 2026

Vulnerability identifier: #VU133472

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-28699

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Gitea Authors

Affected software:
Gitea

Detailed vulnerability description

The vulnerability allows a remote user to bypass OAuth2 token scope restrictions and perform unauthorized write actions.

The vulnerability exists due to incorrect authorization in services/auth/basic.go and the tokenRequiresScopes middleware in routers/api/v1/api.go when submitting an OAuth2 access token via HTTP Basic authentication instead of a Bearer token. A remote user can send a crafted API request using the token through the Basic authentication path to bypass OAuth2 token scope restrictions and perform unauthorized write actions.

The bypass is limited by the authorizing user's existing repository permissions and does not grant administrative access.

How to mitigate CVE-2026-28699

Install security update from vendor's website.

Sources

https://github.com/go-gitea/gitea/security/advisories/GHSA-9r5x-wg6m-x2rc

Incorrect authorization in Gitea - CVE-2026-28699

Detailed vulnerability description

How to mitigate CVE-2026-28699

Sources

Please verify you're human