VYPR
← All advisories
High severity8.1GHSA Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication

CVE-2026-28699

Description

Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication, allowing privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication, allowing privilege escalation.

Vulnerability

In Gitea, OAuth2 access token scopes are not enforced when the token is submitted via HTTP Basic authentication instead of a Bearer token. The root cause is in services/auth/basic.go, where the token scope is not stored in the request context, and in routers/api/v1/api.go, where the scope enforcement middleware exits early if ApiTokenScope is absent [1][2]. This affects all Gitea versions prior to the security patch.

Exploitation

An attacker who possesses an OAuth2 access token with a limited scope (e.g., read:user) can bypass scope restrictions by sending the token via HTTP Basic authentication. The attacker constructs the Authorization header as Basic base64(:x-oauth-basic) and sends a write request (e.g., PATCH /api/v1/user/settings). No additional authentication or user interaction is required beyond obtaining the token [1][2].

Impact

Successful exploitation allows the attacker to perform write operations as the authorizing user, including modifying user settings, adding email addresses, creating repositories, and deleting repositories. This constitutes a privilege escalation from the intended read-only scope to full write access [1][2].

Mitigation

The fix involves populating ApiTokenScope in services/auth/basic.go identically to the Bearer-token OAuth2 path. Users should update to the latest patched version of Gitea when it becomes available. No official workaround has been published [1][2].

References
  1. CVE-2026-28699 - GitHub Advisory Database
  2. OAuth2 access token scope enforcement bypass via HTTP Basic authentication

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing storage of OAuth2 token scope in the request context when the token is accepted via HTTP Basic authentication."

Attack vector

An attacker who obtains an OAuth2 access token (e.g., via a malicious OAuth2 app a user authorized with a restricted scope like `read:user`) can bypass scope enforcement by submitting the token via HTTP Basic authentication (`Authorization: Basic base64(<token>:x-oauth-basic)`) instead of a Bearer token. The middleware in `routers/api/v1/api.go` skips scope checking when `ApiTokenScope` is not set in the context, which occurs only in the Basic auth code path. This allows write operations such as modifying profiles, adding email addresses, creating repositories, and deleting repositories.

Affected code

The bug is in `services/auth/basic.go`, which accepts OAuth2 access tokens through the Basic auth path but does not store the token scope in the request context. The scope enforcement middleware in `routers/api/v1/api.go` exits early when `ApiTokenScope` is absent, so no scope check is performed.

What the fix does

The suggested fix is to populate `ApiTokenScope` in the request context inside `services/auth/basic.go` when an OAuth2 access token is accepted, identically to how the Bearer-token OAuth2 path does it. Without this change, the `tokenRequiresScopes` middleware in `routers/api/v1/api.go` sees that `ApiTokenScope` is absent and returns immediately without enforcing any scope restrictions, allowing all actions permitted to the user.

Preconditions

  • authThe attacker must possess a valid OAuth2 access token (e.g., obtained via a malicious OAuth2 app the victim authorized).
  • inputThe token must be submitted via HTTP Basic authentication (`Authorization: Basic base64(:x-oauth-basic)`) rather than Bearer.
  • configThe target Gitea instance must have the OAuth2 scope enforcement feature enabled (default).

Reproduction

1. Create an OAuth2 application in Gitea. 2. Authorize it as a normal user with scope `read:user` only. 3. Take the resulting access token and call a write endpoint using `Authorization: Basic base64(<token>:x-oauth-basic)`. For example: `PATCH /api/v1/user/settings` returns 200 OK (bypass) whereas the same token via `Authorization: Bearer <token>` returns 403 Forbidden.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.