Skip to main content

Gitea CVE-2026-27783

MEDIUM
Missing Authorization (CWE-862)
2026-06-16 https://github.com/go-gitea/gitea GHSA-3fwp-p5rj-2pxf
Gitea Authentication Bypass RCE
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

PR:L because exploitation requires an authenticated low-privilege token with existing repository membership; C:L because only specific configuration files are exposed, not arbitrary code.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 00:36 vuln.today
Analysis Generated
Jun 17, 2026 - 00:36 vuln.today

DescriptionGitHub Advisory

Summary

Three Gitea API endpoints - GET /repos/{owner}/{repo}/issue_templates, GET /repos/{owner}/{repo}/issue_config and GET /repos/{owner}/{repo}/issue_config/validate

  • read files from the repository's Code default branch (.gitea/ISSUE_TEMPLATE/*

and issue_config.yaml) and return their contents, but are registered without the reqRepoReader(unit.TypeCode) authorization middleware that every sibling Code-tree endpoint in the same route group carries.

A user who has access to a private repository through *any single repository unit* (for example an organization team granted only the Issues unit, with no Code access) can therefore read the issue-template and issue-config files of that repository's Code tree, which their permission set should not expose.

---

Root cause

The three endpoints lack the unit guard

routers/api/v1/api.go:1433-1437:

m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates) m.Get("/issue_config", context.ReferencesGitRepo(), repo.GetIssueConfig) m.Get("/issue_config/validate", context.ReferencesGitRepo(), repo.ValidateIssueConfig) m.Get("/languages", reqRepoReader(unit.TypeCode), repo.GetLanguages) m.Get("/licenses", reqRepoReader(unit.TypeCode), repo.GetLicenses)

context.ReferencesGitRepo() only opens the git repository - it performs no permission check. Every other endpoint in this group that reads Code-tree content is guarded with reqRepoReader(unit.TypeCode): /languages, /licenses, /contents/*, /file-contents, and /{ball_type:tarball|zipball|bundle}/* (api.go:1418-1445). The three issue-template endpoints are the only Code-tree readers in the group missing that guard.

The enclosing group runs repoAssignment() (api.go:1446), whose access check is satisfied by HasAnyUnitAccessOrPublicAccess - i.e. access to any unit of the repository is sufficient to pass. Without a per-unit reqRepoReader, the handlers run for a caller who has no Code permission.

The handlers return Code-tree file contents

routers/api/v1/repo/repo.go:

func GetIssueTemplates(ctx *context.APIContext) { // :1179 ret := issue.ParseTemplatesFromDefaultBranch(ctx.Repo.Repository, ctx.Repo.GitRepo) ... ctx.JSON(http.StatusOK, ret.IssueTemplates) }

func GetIssueConfig(ctx *context.APIContext) { // :1209 issueConfig, _ := issue.GetTemplateConfigFromDefaultBranch(ctx.Repo.Repository, ctx.Repo.GitRepo) ctx.JSON(http.StatusOK, issueConfig) }

ParseTemplatesFromDefaultBranch / GetTemplateConfigFromDefaultBranch read .gitea/ISSUE_TEMPLATE/* and issue_config.yaml from the default (Code) branch and return them in the JSON response.

---

Proof of Concept

victim-org/private-repo is a private repository. The attacker is a member of an organization team granted access to that repository through a non-Code unit only (e.g. the Issues unit) - a supported Gitea permission configuration.

GET /api/v1/repos/victim-org/private-repo/issue_templates HTTP/1.1 Host: TARGET Authorization: token <attacker token>

The response is 200 OK with the parsed contents of the repository's .gitea/ISSUE_TEMPLATE/* files. The same applies to /issue_config. Because the caller lacks the Code unit, every other Code-tree endpoint (/contents, /languages, …) correctly returns 404/403 for the same token - only these three return data.

---

Impact

A repository collaborator whose granted permissions exclude the Code unit can read the issue-template and issue-config files from the Code default branch of a private repository. The exposure is limited to those specific configuration files (not arbitrary Code-tree content), which is why this is rated low impact. It is nonetheless a unit-level authorization bypass: the endpoints disclose Code-unit content to callers the permission model is meant to exclude.

---

Suggested fix

Add the same unit guard the sibling endpoints use, in routers/api/v1/api.go:

m.Get("/issue_templates", reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(), repo.GetIssueTemplates) m.Get("/issue_config", reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(), repo.GetIssueConfig) m.Get("/issue_config/validate", reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(), repo.ValidateIssueConfig)

(If issue templates are intended to be visible to Issues-unit users for issue creation, reqRepoReader(unit.TypeIssues) is the appropriate guard - but the current absence of any unit guard is the bug.)

---

References

  • CWE-862 Missing Authorization
  • CWE-284 Improper Access Control
  • OWASP A01:2021 Broken Access Control

AnalysisAI

Missing repository-unit authorization on three Gitea API endpoints allows authenticated users with only non-Code unit access (e.g., an Issues-only organization team member) to read .gitea/ISSUE_TEMPLATE/* and issue_config.yaml files from the Code default branch of a private repository. The CVSS score of 4.3 (PR:L, C:L) accurately reflects the narrow scope: exploitation is limited to those specific configuration files, not arbitrary source code. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain organization team membership with Issues-only access
Delivery
Authenticate with low-privilege personal access token
Exploit
Send GET /api/v1/repos/{owner}/{repo}/issue_templates to network-accessible Gitea API
Execution
Missing reqRepoReader middleware fails to enforce Code-unit check
Persist
Server reads .gitea/ISSUE_TEMPLATE/* from Code default branch
Impact
Return file contents in 200 OK JSON response to unauthorized caller
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid Gitea personal access token (authenticated, low-privilege - PR:L) and to be a member of the target repository through at least one non-Code repository unit, such as the Issues or Wiki unit, within an organization team. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (score 4.3) is well-calibrated for this vulnerability: network-reachable API, no special attack conditions, requires low-privilege authenticated access, and confidentiality impact is limited to specific configuration files rather than arbitrary source code or secrets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who is an organization team member with Issues-only access to a private Gitea repository sends an authenticated HTTP GET request to `/api/v1/repos/victim-org/private-repo/issue_templates` using their personal access token. Because the endpoint lacks `reqRepoReader(unit.TypeCode)`, the server processes the request, reads `.gitea/ISSUE_TEMPLATE/*` from the Code default branch, and returns the file contents as a 200 OK JSON response - files the attacker's permission set is explicitly meant to exclude. …
Remediation Upgrade Gitea to version 1.26.2, which adds the missing `reqRepoReader(unit.TypeCode)` middleware to the three affected API endpoints in `routers/api/v1/api.go`, aligning them with every other Code-tree endpoint in the same route group. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28737 HIGH
8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
CVE-2026-26231 HIGH
8.5 Jun 16

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
CVE-2026-28699 HIGH
8.1 Jun 16

OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond it
CVE-2026-28744 HIGH
8.1 Jun 16

Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to pe
CVE-2026-24791 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

Share

CVE-2026-27783 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy