Skip to main content

Gitea CVE-2026-27771

| EUVDEUVD-2026-41635 HIGH
Missing Authorization (CWE-862)
2026-07-03 Gitea
8.2
CVSS 3.0 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.5 HIGH

Network-reachable registry disclosure with low complexity and no interaction (AV:N/AC:L/UI:N); pure confidentiality leak so C:H, I:N, A:N; PR:N kept per vendor vector though a low-privilege account may be required.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 21:02 vuln.today

DescriptionCVE.org

Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.

AnalysisAI

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers read private or internal Composer package source links they should not be authorized to see, leaking internal repository/source metadata. The flaw is a missing-authorization (CWE-862) issue reported by the Gitea project itself and fixed in v1.26.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Gitea Composer registry over network
Exploit
Request private package source links
Execution
Missing permission check returns data
Impact
Harvest internal source/repository metadata

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Gitea instance (version ≤ 1.26.1) has the Composer package registry in use and hosting private or internal packages whose source links are the exposed data; against such a configuration the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no user interaction and low complexity. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, score 8.2) portrays an easy, network-reachable, unauthenticated information disclosure with high confidentiality impact - a genuinely attractive profile because there are no complexity or interaction barriers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a vulnerable Gitea instance queries the Composer package registry endpoints and receives source links for packages marked private or internal, without holding the permissions those resources require. This yields internal repository/source locations and package sourcing details that can inform further reconnaissance against the organization's private code. …
Remediation Vendor-released patch: v1.26.2 - upgrade any Gitea instance at 1.26.1 or earlier to 1.26.2 or later, which contains the fix delivered in pull request https://github.com/go-gitea/gitea/pull/37610. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Gitea instances to identify those running versions up to 1.26.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Gitea

View all
CVE-2026-58053 CRITICAL POC
9.4 Jun 28

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58370 CRITICAL
9.2 Jun 30

Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a

CVE-2026-20912 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o

CVE-2026-20897 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t

CVE-2026-20750 CRITICAL
9.1 Jan 22

Gitea does not properly validate project ownership in organization operations, allowing users with project write access

CVE-2026-28737 HIGH
8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra

CVE-2026-26231 HIGH
8.5 Jun 16

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to

CVE-2026-24791 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

CVE-2026-22555 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the o

Share

CVE-2026-27771 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy