What is the CVSS score of CVE-2026-26231?

CVE-2026-26231 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N.

Which versions of Gitea are affected by CVE-2026-26231?

Gitea versions 1.26.1 and earlier contain an authorization bypass allowing any authenticated user to push code commits to repositories they can view, including public repositories.. A patch is available.

How to fix or mitigate CVE-2026-26231?

Within 24 hours: Identify all Gitea instances (query git logs for recent commits by unexpected users; audit repository push events). Within 7 days: Upgrade all affected instances to Gitea 1.26.2 or later; review commit history across all repositories for unauthorized pushes since instance deployment. Within 30 days: Implement enhanced code review policies requiring multiple reviewers; enable audit logging for all push operations; conduct security awareness training on branch protection and access controls.

Gitea CVE-2026-26231

HIGH

Incorrect Authorization (CWE-863)

2026-06-16 https://github.com/go-gitea/gitea

GHSA-mm7c-rhg6-qr4r

Gitea Authentication Bypass

8.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

vuln.today AI

7.7 HIGH

Network-reachable, any low-priv account suffices (PR:L), no user interaction; scope changes to repos outside attacker control (S:C); high integrity impact, no confidentiality or availability beyond what was already readable.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 17, 2026 - 00:18 vuln.today

Analysis Generated

Jun 17, 2026 - 00:18 vuln.today

CVE Published

Jun 16, 2026 - 23:41 github-advisory

HIGH 8.5

DescriptionGitHub Advisory

Summary

Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks.

Vulnerability

Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs:

The web UI PR-create endpoint binds allow_maintainer_edit=true without verifying that the submitter has write access to the HEAD repository.
Gitea allows creating a PR where BASE = attacker's fork and HEAD = upstream target. The attacker is "maintainer" of the BASE (their own fork), so the flag is set against the upstream HEAD.
On git push over HTTP/SSH, Gitea relaxes the required access mode to Read when SupportProcReceive is enabled (routers/web/repo/githttp.go, routers/private/serv.go) and defers enforcement to the pre-receive hook.
The pre-receive hook calls CanMaintainerWriteToBranch (models/issues/pull_list.go), which finds the malicious PR, sees AllowMaintainerEdit=true, and checks whether the pusher has write access to the BASE repo. Since BASE is the attacker's own fork, the check passes and the push is authorized against the upstream.

Exploitation

Attacker forks the target repository.
Attacker visits the web compare endpoint and creates a PR with BASE = their_fork, HEAD = upstream, and "Allow edits from maintainers" checked.
Attacker clones their fork, makes a commit, and runs git push <upstream_url> <branch> - the push is accepted.

Reproduction

bash

python3 poc.py --repo http://gitea:3000/victim/repo --user attacker --password attacker_pass

poc.py

Expected output:

[+] target: victim/my_repo  default branch: main
[*] forking -> attacker/my_repo_pocfork (202)
[+] fork ready
[+] malicious PR created (BASE=attacker fork, HEAD=upstream)

remote: . Processing 1 references
remote: Processed 1 references in total
To http://192.168.101.20:3000/victim/my_repo.git
   e5c07b3..9a0b884  main -> main

[+] latest commit on victim/my_repo@main: 'PoC: unauthorized commit via maintainer-edit bypass'
[+] CONFIRMED: unauthorized push to upstream succeeded.

A PWNED.txt file will appear on the target repo's default branch, committed by the attacker who has no write access.

Impact

Full repository compromise. Any logged-in user can backdoor any repository they can read, including all public repositories on the instance.

Suggested Fix

Two independent checks are missing; both should be added for defense in depth:

At PR creation: before setting AllowMaintainerEdit = true, verify the submitter has write access to the HEAD repository.
In CanMaintainerWriteToBranch: verify that the PR's HEAD repo matches the repository being pushed to, and that the PR was opened by a legitimate owner/writer of the HEAD repository. Do not trust AllowMaintainerEdit solely based on BASE write access.

AnalysisAI

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to push arbitrary commits directly to any repository they can view, including all public repositories on the instance. The flaw stems from the 'Allow edits from maintainers' pull request flag being trusted without verifying the PR submitter actually owns write access on the HEAD side, enabling reverse-fork PRs to grant unauthorized push rights to upstream targets. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privilege user

Delivery

Fork target repository

Exploit

Create reverse PR (BASE=fork, HEAD=upstream) with maintainer-edit flag

Execution

Commit malicious change locally

Persist

Push directly to upstream over HTTP/SSH

Impact

Backdoored code lands on default branch

Access

Authenticate as low-privilege user

Delivery

Fork target repository

Exploit

Create reverse PR (BASE=fork, HEAD=upstream) with maintainer-edit flag

Execution

Commit malicious change locally

Persist

Push directly to upstream over HTTP/SSH

Impact

Backdoored code lands on default branch

Vulnerability AssessmentAI

Exploitation	Requires (1) network access to the Gitea web and Git HTTP/SSH endpoints, (2) any authenticated low-privilege account on the instance (read access to the target repository is sufficient - no write, fork-approval, or admin rights are needed), and (3) the instance must have SupportProcReceive enabled (the default on modern Gitea, used to power agit workflows), since the relaxed access-mode check in routers/web/repo/githttp.go and routers/private/serv.go is what defers enforcement to the vulnerable pre-receive hook. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N (8.5) accurately reflects a network-reachable, low-complexity flaw that needs only any low-privilege account, no user interaction, with a scope change (compromise of repositories the attacker does not own) and high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers (or uses any existing low-privilege account) on a target Gitea instance, forks a high-value public repository, then opens a PR with BASE set to their own fork and HEAD set to the upstream repository, ticking 'Allow edits from maintainers'. They clone their fork, craft a malicious commit (for example, backdooring a build script or CI workflow), and run git push against the upstream URL - the push is accepted and lands on the upstream default branch. …
Remediation	Vendor-released patch: upgrade Gitea to 1.26.2 or later, which is the version that addresses GHSA-mm7c-rhg6-qr4r and adds the missing authorization checks. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Gitea instances (query git logs for recent commits by unexpected users; audit repository push events). …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28737 HIGH This Week

8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra

CVE-2026-28699 HIGH This Week

8.1 Jun 16

OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond it

CVE-2026-28744 HIGH This Week

8.1 Jun 16

Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to pe

CVE-2026-24791 HIGH This Week

8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

CVE-2026-22555 HIGH This Week

8.1 Jun 17

Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the o

CVE-2026-26231 vulnerability details – vuln.today

Back

Gitea CVE-2026-26231

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Summary

Vulnerability

Exploitation

Reproduction

Impact

Suggested Fix

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code