Impact
The vulnerability exists in the archive download endpoint of Gitea. It allows an attacker to trigger a repository archive download without satisfying the required token scope checks. This bypass of authorization means that any token, even one that normally lacks the permission to fetch archives, can be used to retrieve the entire repository contents. The impact is the disclosure of source code, configuration files, and possibly sensitive information, thereby compromising confidentiality.
Affected Systems
Affected installations run the Gitea Open Source Git Server. Versions up to and including 1.26.1 contain the flaw. Upgrading to 1.26.2 or later removes the vulnerability.
Risk and Exploitability
The flaw is remotely exploitable via the web API. An attacker only needs to know the archive download URL and a valid token; they can then request the archive without encountering the intended scope checks. The EPSS score is <1% and the issue is not listed in CISA KEV, and based on the description it is inferred that the lack of proper authorization could allow extensive data exfiltration. Administrators should treat this as a high‑risk concern until a patch is applied.
OpenCVE Enrichment
Github GHSA