CVE-2026-27761 PUBLISHED

Gitea repository feeds bypass API token scope enforcement

Assigner: Gitea
Reserved: 03.03.2026 Published: 03.07.2026 Updated: 03.07.2026

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Product Status

Vendor Gitea
Product Gitea Open Source Git Server
Versions Default: unaffected
  • affected from 0 to 1.26.2 (incl.)

Credits

  • babakizo420 reporter

References

Problem Types

  • CWE-863 CWE