CVE-2026-20706 PUBLISHED

Gitea repository archive downloads bypass token scope checks

Assigner: Gitea
Reserved: 03.03.2026 Published: 03.07.2026 Updated: 03.07.2026

Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.

Product Status

Vendor Gitea
Product Gitea Open Source Git Server
Versions Default: unaffected
  • affected from 0 to 1.26.1 (incl.)

Credits

  • geoo115 reporter

References

Problem Types

  • CWE-284 CWE