Description
Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an incomplete fix for CVE-2025-68941.
Published: 2026-07-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the detailed notice, Gitea versions up to and including 1.26.1 do not apply public‑only token filtering consistently to the user organization API. The description of the issue was updated to provide more detail, but the core flaw remains an insufficient access control (CWE‑862). Requests with a valid API token can retrieve organization data even when the token is intended to be public‑only, allowing an attacker to bypass the intended access restrictions and leaving an incomplete fix for CVE‑2025‑68941.

Affected Systems

The vulnerability affects the Gitea Open Source Git Server product, specifically all releases through 1.26.1. Users running these or earlier versions are at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity; the EPSS score is < 1%, indicating a very low but nonzero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalogue. Attackers can exploit this remotely by presenting a valid API token to the user organization endpoint, bypassing the public‑only filter. Based on the description, it is inferred that the attacker must possess a valid API token, and no special network configuration beyond the ability to communicate with the Gitea instance is required.

Generated by OpenCVE AI on July 6, 2026 at 09:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.26.2 or later, which implements the correct token filtering logic.
  • Verify that API tokens in use are scoped appropriately and that public‑only tokens cannot access organization data via the API.
  • If an immediate upgrade is not possible, restrict organization‑API access by disabling or isolating the endpoint in the server configuration, or by revoking and recreating compromised tokens with stricter permissions.

Generated by OpenCVE AI on July 6, 2026 at 09:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8629-vc8r-5p58 Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an incomplete fix for CVE-2025-68941.
Title Gitea user organization API bypasses public-only token filtering
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:32.756Z

Reserved: 2026-03-03T03:25:50.209Z

Link: CVE-2026-25714

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses