Incorrect authorization in Gitea - CVE-2026-27761
Published: June 22, 2026
Vulnerability identifier: #VU135004
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27761
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Gitea Authors
Affected software:
Gitea
Gitea
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information from private repository commit feeds.
The vulnerability exists due to incorrect authorization in repository RSS/Atom feed handlers when handling feed requests authenticated with a personal access token that lacks repository scope. A remote user can send a request to repository feed endpoints using a non-repository-scoped token to disclose sensitive information from private repository commit feeds.
Feeds must be enabled, and the issue affects private repositories the token owner is permitted to read. Exposed data can include commit SHAs, full commit messages, and committer names and email addresses.
How to mitigate CVE-2026-27761
Install security update from vendor's website.