Description
Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.
Published: 2026-07-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the archive download endpoint of Gitea. It allows an attacker to trigger a repository archive download without satisfying the required token scope checks. This bypass of authorization means that any token, even one that normally lacks the permission to fetch archives, can be used to retrieve the entire repository contents. The impact is the disclosure of source code, configuration files, and possibly sensitive information, thereby compromising confidentiality.

Affected Systems

Affected installations run the Gitea Open Source Git Server. Versions up to and including 1.26.1 contain the flaw. Upgrading to 1.26.2 or later removes the vulnerability.

Risk and Exploitability

The flaw is remotely exploitable via the web API. An attacker only needs to know the archive download URL and a valid token; they can then request the archive without encountering the intended scope checks. The EPSS score is <1% and the issue is not listed in CISA KEV, and based on the description it is inferred that the lack of proper authorization could allow extensive data exfiltration. Administrators should treat this as a high‑risk concern until a patch is applied.

Generated by OpenCVE AI on July 5, 2026 at 00:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.26.2 or later, which restores proper token scope enforcement for archive downloads.
  • If an upgrade cannot be performed immediately, limit the use of repository archive download tokens by enforcing the least privilege principle and reviewing token scopes regularly.
  • Monitor and audit archive download activity via logs to detect any unauthorized or unusual access patterns.

Generated by OpenCVE AI on July 5, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cr4g-f395-h25h Gitea: Token scope bypass on web archive download endpoint
History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.
Title Gitea repository archive downloads bypass token scope checks
Weaknesses CWE-284
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:28.868Z

Reserved: 2026-03-03T03:25:59.955Z

Link: CVE-2026-20706

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:45:04Z

Weaknesses