Impact
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets. This flaw permits an attacker to introduce a repository that accesses and reveals organization secrets, compromising confidential information and undermining trust in the system. The weakness is a misimplementation of access control (CWE-284).
Affected Systems
The vulnerability affects the Gitea Open Source Git Server, specifically all releases before v1.26.0. No specific sub‑products or versions beyond that cut‑off are listed, so any deployment of Gitea older than 1.26.0 is impacted.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity and a broad potential impact on confidentiality of organization secrets. The EPSS score is less than 1 %, implying a low but nonzero likelihood of exploitation. The flaw is not currently listed in the CISA KEV catalog, which could suggest the exploit may not yet be widely used. The likely attack vector is through the API: an attacker who can call the fork endpoint may create a repository inside an organization without passing the CanCreateOrgRepo check, thereby exposing stored secrets. Successful exploitation could allow adversaries full access to secret tokens and environment variables stored in the organization repository. No external code execution or denial of service is described, but the confidentiality damage is significant.
OpenCVE Enrichment
Github GHSA