VYPR
← All advisories
High severity8.1GHSA Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens

CVE-2026-28744

Description

Gitea v1.26.1 fails to enforce repository-scoped token permissions on Git Smart HTTP requests using Bearer authentication, allowing unauthorized repository access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gitea v1.26.1 fails to enforce repository-scoped token permissions on Git Smart HTTP requests using Bearer authentication, allowing unauthorized repository access.

Vulnerability

In Gitea v1.26.1, the CheckRepoScopedToken() function in services/context/permission.go prematurely returns when ctx.IsBasicAuth is false, meaning that Bearer-authenticated requests (OAuth2 tokens or PATs) skip the repository scope check entirely [1][2]. This affects all Git Smart HTTP operations, including clone, fetch, and push, because the authorization path calls CheckRepoScopedToken() only before falling through to normal RBAC, but the function does nothing for non-Basic auth requests.

Exploitation

An attacker with a valid Gitea OAuth2 token or Personal Access Token (PAT) that lacks the required repository scopes (e.g., read:repository for cloning or write:repository for pushing) can simply present the token as an Authorization: Bearer header when making Git Smart HTTP requests. The scope check is bypassed, and the request proceeds to the repository RBAC, which considers the token's user identity but not its scopes [1][2]. No additional authentication or user interaction is required beyond possession of such a token.

Impact

Successful exploitation allows an attacker to read (clone/fetch) private repositories without the read:repository scope, and write (push) to repositories without the write:repository scope [1][2]. This leads to unauthorized disclosure of private repository contents and unauthorized modification of repository data, potentially causing data integrity and confidentiality breaches.

Mitigation

As of the available references (published June 2026), no patch version has been announced for this vulnerability [1][2]. Administrators should monitor Gitea security advisories and update to a fixed release when available. Until then, possible workarounds include restricting network access to the Gitea instance or configuring the instance to require Basic authentication for Git Smart HTTP operations, which would restore scope enforcement.

References
  1. CVE-2026-28744 - GitHub Advisory Database
  2. Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `CheckRepoScopedToken()` function in `services/context/permission.go` returns early unless `ctx.IsBasicAuth` is true, so repository-scope enforcement is skipped when the same token is presented via Bearer/OAuth2 authentication."

Attack vector

An attacker who possesses a valid PAT or OAuth2 token for a Gitea user can present it as an `Authorization: Bearer <token>` header to Git Smart HTTP endpoints (e.g., `/user2/repo2/info/refs?service=git-upload-pack`). Because `CheckRepoScopedToken()` only enforces repository scopes when `ctx.IsBasicAuth` is true, the Bearer-authenticated request bypasses the scope check entirely. The same token would be rejected if sent via HTTP Basic authentication. The attacker still needs a token belonging to a user who has normal repository RBAC access, so this does not grant access to repositories the token owner could not otherwise access. [ref_id=1][ref_id=2]

Affected code

The vulnerability resides in `services/context/permission.go` in the `CheckRepoScopedToken()` function, which returns early unless `ctx.IsBasicAuth` is true. The Git Smart HTTP authorization path in `routers/web/repo/githttp.go` calls this function, but the Bearer/OAuth2 auth path (in `services/auth/oauth2.go`) sets the token scope data without setting `IsBasicAuth`, so the scope check is skipped for Bearer-authenticated requests.

What the fix does

The advisory does not include a published patch diff, but the remediation would require modifying `CheckRepoScopedToken()` in `services/context/permission.go` to also enforce repository scopes when the token was presented via Bearer/OAuth2 authentication, not only when `ctx.IsBasicAuth` is true. The token scope data (`IsApiToken` and `ApiTokenScope`) is already recorded by the Bearer auth path in `services/auth/oauth2.go`, so the fix would involve removing or extending the `!ctx.IsBasicAuth` early-return guard to cover Bearer-authenticated requests as well. [ref_id=1][ref_id=2]

Preconditions

  • configThe Gitea instance must expose Git Smart HTTP endpoints.
  • authThe attacker must possess a valid PAT or OAuth2 token for a user who has normal repository RBAC access to the target repository.
  • inputThe token must be presented via the Authorization: Bearer header rather than HTTP Basic authentication.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.