Description
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.
Published: 2026-07-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets. This flaw permits an attacker to introduce a repository that accesses and reveals organization secrets, compromising confidential information and undermining trust in the system. The weakness is a misimplementation of access control (CWE-284).

Affected Systems

The vulnerability affects the Gitea Open Source Git Server, specifically all releases before v1.26.0. No specific sub‑products or versions beyond that cut‑off are listed, so any deployment of Gitea older than 1.26.0 is impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity and a broad potential impact on confidentiality of organization secrets. The EPSS score is less than 1 %, implying a low but nonzero likelihood of exploitation. The flaw is not currently listed in the CISA KEV catalog, which could suggest the exploit may not yet be widely used. The likely attack vector is through the API: an attacker who can call the fork endpoint may create a repository inside an organization without passing the CanCreateOrgRepo check, thereby exposing stored secrets. Successful exploitation could allow adversaries full access to secret tokens and environment variables stored in the organization repository. No external code execution or denial of service is described, but the confidentiality damage is significant.

Generated by OpenCVE AI on July 6, 2026 at 09:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.26.0 or later, which implements the missing CanCreateOrgRepo check.
  • After upgrading, re‑apply or review the API authentication and authorization configuration to ensure only trusted users can invoke repository operations.
  • Monitor organization repositories for unexpected forks and review audit logs for unauthorized activity.

Generated by OpenCVE AI on July 6, 2026 at 09:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fhx7-m96w-mv29 Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration
History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.
Title Gitea organization forks can expose organization secrets without create permission
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:30.648Z

Reserved: 2026-03-03T03:25:28.700Z

Link: CVE-2026-22555

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses