Main Vulnerability Database Vulnerabilities #VU135003

Improper Authorization in Gitea - #VU135003

Published: June 22, 2026

Vulnerability identifier: #VU135003

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Gitea Authors

Affected software:
Gitea

Detailed vulnerability description

The vulnerability allows a remote user to create repositories in an organization without authorization.

The vulnerability exists due to improper access control in the fork repository API endpoint when handling fork requests into organizations. A remote user can send a specially crafted API request to create repositories in an organization without authorization.

The issue affects POST /api/v1/repos/{owner}/{repo}/forks because it checks organization membership but does not verify whether repository creation is permitted for that user in the target organization.

Remediation

Install security update from vendor's website.

Sources

https://github.com/go-gitea/gitea/security/advisories/GHSA-rjvx-x5h2-6px5

Improper Authorization in Gitea - #VU135003

Detailed vulnerability description

Remediation

Sources

Please verify you're human