VYPR
advisoryPublished Jun 17, 2026· Updated Jun 18, 2026· 1 source

Gitea: Ten CVEs Disclosed Together, Seven High-Severity Token-Scope and Auth Bypass Flaws

Key findings • Seven of the ten CVEs are rated high severity, with token-scope enforcement gaps dominating the batch • CVE-2026-28699 and CVE-2026-28744 show OAuth2 scopes are bypassed depend…

Key findings

  • Seven of the ten CVEs are rated high severity, with token-scope enforcement gaps dominating the batch
  • CVE-2026-28699 and CVE-2026-28744 show OAuth2 scopes are bypassed depending on how the token is submitted (Basic vs Bearer)
  • CVE-2026-26231 lets any read-only user push commits via the 'Allow edits from maintainers' PR feature
  • CVE-2026-28737 introduces stored XSS through crafted glTF 3D model files in the built-in viewer
  • CVE-2026-25714 is an incomplete fix of an earlier CVE (CVE-2025-68941) for public-only token restrictions
  • No patch release has been announced yet; users should monitor Gitea's security advisories

On June 16–17, 2026, Gitea disclosed ten security vulnerabilities spanning authorization bypasses, token-scope enforcement gaps, stored cross-site scripting, and an open redirect. The batch, which includes seven high-severity flaws, underscores a recurring theme: Gitea's permission and token-scope checks are inconsistently applied across its API, Git, and web endpoints, leaving multiple paths for attackers to escalate privileges or access private data.

Token-Scope Enforcement Gaps

The largest cluster of bugs involves OAuth2 and API token scopes that are not enforced uniformly. CVE-2026-28699 allows an OAuth2 access token submitted via HTTP Basic authentication (Authorization: Basic base64(token:x-oauth-basic)) to bypass scope restrictions entirely — a token granted only read:user can perform write actions, including modifying account settings. Similarly, CVE-2026-28744 affects the Git Smart HTTP path: repository-scoped token permissions are checked only when the token is presented via Basic auth, so a Bearer token with the same scope skips the check. CVE-2026-25714 is an incomplete fix for CVE-2025-68941: the /user/orgs endpoint lacks checkTokenPublicOnly(), and a switch-case logic flaw lets public-only tokens access private organization data. CVE-2026-24791 extends the pattern — many authenticated self routes under /api/v1/user/... do not enforce the public-only token restriction, allowing a token marked public-only to access or modify private account resources.

Authorization Bypasses in Repository Operations

Two CVEs involve missing authorization checks in repository operations. CVE-2026-26231 (high severity) lets any authenticated user with read access to a repository push arbitrary commits by abusing the "Allow edits from maintainers" pull-request option via reverse-fork PRs — the web UI PR-create endpoint binds allow_edits_from_maintainers without verifying write permissions. CVE-2026-22555 (high severity) targets the API fork endpoint: POST /api/v1/repos/{owner}/{repo}/forks checks IsOrgMember() but not CanCreateOrgRepo(), allowing a read-only organization member to fork a repo into an org and exfiltrate organization secrets. The web UI fork handler correctly checks both.

Missing Authorization on Issue-Template and Archive Endpoints

CVE-2026-27783 describes three API endpoints — GET /repos/{owner}/{repo}/issue_templates, issue_config, and issue_config/validate — that read files from the repository's default Code branch without verifying that the user has access to the Code unit. A user with access to, say, only the Issues unit can still retrieve issue-template files. CVE-2026-20706 notes that the /archive/* endpoint accepts OAuth2 tokens but never calls checkDownloadTokenScope, which was added for /raw/*, /media/*, and attachment downloads in PR #37698.

Stored XSS and Open Redirect

CVE-2026-28737 (high severity) introduces stored cross-site scripting via Gitea's built-in 3D file viewer (powered by Online3DViewer). A crafted .gltf file that declares an unsupported required extension causes the viewer to generate an error message containing the extension name, which Gitea inserts into the page without sanitization. CVE-2026-25779 is an open redirect: despite validation in urlIsRelative, directory-traversal sequences combined with a backslash in the redirect_to parameter allow redirecting users to arbitrary external sites after login.

Response and Patch Status

Gitea has not yet released a unified advisory for this batch. Users should monitor the Gitea blog and the official security advisory page for patch announcements. Given the breadth of token-scope bypasses, administrators should review their OAuth2 application grants and consider rotating tokens once fixes land. The stored XSS via glTF files is particularly concerning for instances that host user-uploaded 3D models.

Bottom Line

This disclosure reveals that Gitea's permission model — especially around token scopes — has been applied inconsistently across its codebase. The seven high-severity CVEs in this batch suggest that a systematic audit of all authenticated endpoints may be needed. Users should prioritize updating to the patched release as soon as it becomes available and, in the interim, restrict token grants and disable the 3D file viewer if not required.

Synthesized by Vypr AI