Gitea
CVE-2026-25714
MEDIUM
GHSA-8629-vc8r-5p58
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
PR:L because a valid API token is required; C:L because only organization membership metadata leaks, with no integrity or availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data.
Issue 1: /user/orgs missing checkTokenPublicOnly()
routers/api/v1/api.go line 1599:
m.Get("/user/orgs", reqToken(), tokenRequiresScopes(
auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization,
), org.ListMyOrgs)
// Missing checkTokenPublicOnly()Adjacent route at line 1603 has it:
m.Group("/users/{username}/orgs", func() { ... },
..., checkTokenPublicOnly())Issue 2: checkTokenPublicOnly switch-case evaluates only first matching category
routers/api/v1/api.go lines 253-295. Go switch executes only the first matching case. For routes with categories [User, Organization]:
- Organization case matches first (line 263)
- ctx.Org.Organization is nil on user routes, passes
- ctx.ContextUser.IsOrganization() is false, passes
- User case (line 273) is never reached
- User visibility check skipped entirely
Steps to Reproduce
- Create a token with public-only scope (Settings > Applications > check "public only")
- Call:
curl -H "Authorization: token <PUBLIC_ONLY_TOKEN>" https://gitea.example.com/api/v1/user/orgs - Response includes private and limited-visibility organizations
Expected: only public organizations returned.
Impact
Public-only scoped tokens can enumerate private organizations the token owner belongs to. Violates the token's declared scope constraints.
Suggested Fix
- Add
checkTokenPublicOnly()to/user/orgsroute at line 1599 - Replace switch with loop over all categories so User visibility check is not skipped
Version
Current main branch, commit 2c2d7e6 (April 3, 2026).
AnalysisAI
Public-only scoped API tokens in Gitea bypass their declared scope constraints and expose private organization membership data through two distinct code defects in routers/api/v1/api.go: the /user/orgs route omits the checkTokenPublicOnly() middleware entirely, and the checkTokenPublicOnly function contains a Go switch-case logic flaw that skips the user-visibility check on multi-category routes. This is an incomplete remediation of CVE-2025-68941 introduced by PR #32204, affecting all Gitea instances running version 1.26.1 and earlier. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid Gitea API token configured with the 'public only' scope (enabled via Settings > Applications by checking 'public only' during token creation). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the bounded impact: a low-privilege authenticated token holder can remotely enumerate private organization membership with no user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains a Gitea API token that was deliberately scoped to 'public only' - for example, a CI/CD credential or a third-party integration token issued under a least-privilege model. The attacker sends a single GET request to `/api/v1/user/orgs` with that token as a Bearer credential; due to the missing middleware and switch-case bypass, the server responds with a full listing of all organizations the token owner belongs to, including private and limited-visibility ones. … |
| Remediation | Upgrade to Gitea 1.26.2, which is confirmed as the fixed release per the advisory package data at https://github.com/go-gitea/gitea/security/advisories/GHSA-8629-vc8r-5p58. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond it
Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to pe
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran
Share
External POC / Exploit Code
Leaving vuln.today