Improper Authorization in Gitea - CVE-2026-22555
Published: June 22, 2026
Vulnerability identifier: #VU135001
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-22555
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Gitea Authors
Affected software:
Gitea
Gitea
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and push arbitrary code under the organization's namespace.
The vulnerability exists due to improper access control in the `POST /api/v1/repos/{owner}/{repo}/forks` API endpoint when forking a repository into an organization. A remote user can send a crafted API request to create a fork in the organization namespace, obtain admin permissions on that fork, and exfiltrate organization-level CI/CD secrets.
Exploitation requires membership in the target organization and access to an existing organization repository. Instances with Actions enabled and runner infrastructure available are affected by the secret exfiltration path.
How to mitigate CVE-2026-22555
Install security update from vendor's website.