Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Network-reachable registry disclosure with low complexity and no interaction (AV:N/AC:L/UI:N); pure confidentiality leak so C:H, I:N, A:N; PR:N kept per vendor vector though a low-privilege account may be required.
Primary rating from Vendor (Gitea).
CVSS VectorVendor: Gitea
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.
AnalysisAI
Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers read private or internal Composer package source links they should not be authorized to see, leaking internal repository/source metadata. The flaw is a missing-authorization (CWE-862) issue reported by the Gitea project itself and fixed in v1.26.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Gitea instance (version ≤ 1.26.1) has the Composer package registry in use and hosting private or internal packages whose source links are the exposed data; against such a configuration the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no user interaction and low complexity. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, score 8.2) portrays an easy, network-reachable, unauthenticated information disclosure with high confidentiality impact - a genuinely attractive profile because there are no complexity or interaction barriers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a vulnerable Gitea instance queries the Composer package registry endpoints and receives source links for packages marked private or internal, without holding the permissions those resources require. This yields internal repository/source locations and package sourcing details that can inform further reconnaissance against the organization's private code. … |
| Remediation | Vendor-released patch: v1.26.2 - upgrade any Gitea instance at 1.26.1 or earlier to 1.26.2 or later, which contains the fix delivered in pull request https://github.com/go-gitea/gitea/pull/37610. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Gitea instances to identify those running versions up to 1.26.1. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar
Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow
Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a
Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o
Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t
Gitea does not properly validate project ownership in organization operations, allowing users with project write access
Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran
Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the o
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41635