CVE-2023-49947
Description
Forgejo before 1.20.5-1 allows 2FA bypass via docker login using Basic Authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Forgejo before 1.20.5-1 allows 2FA bypass via docker login using Basic Authentication.
Vulnerability
Forgejo versions before 1.20.5-1 contain a vulnerability where the API endpoint used by docker login with Basic Authentication does not verify whether the user has two-factor authentication (2FA) enabled. This allows an attacker to bypass 2FA when authenticating via the Docker CLI [1].
Exploitation
An attacker needs valid credentials (username and password) for a Forgejo user that has 2FA activated. By using docker login with Basic Authentication against the Forgejo instance, the attacker can authenticate without providing the required 2FA code, as the endpoint lacks the necessary check [1].
Impact
Successful exploitation grants the attacker full access to the victim's account, including the ability to interact with repositories, perform actions, and access private data, effectively bypassing the security provided by 2FA [1].
Mitigation
The vulnerability is fixed in Forgejo v1.20.5-1, released on 25 November 2023. All installations should be upgraded to this version or later as soon as possible. No workaround is available [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.