Impact
Based on the detailed notice, Gitea versions up to and including 1.26.1 do not apply public‑only token filtering consistently to the user organization API. The description of the issue was updated to provide more detail, but the core flaw remains an insufficient access control (CWE‑862). Requests with a valid API token can retrieve organization data even when the token is intended to be public‑only, allowing an attacker to bypass the intended access restrictions and leaving an incomplete fix for CVE‑2025‑68941.
Affected Systems
The vulnerability affects the Gitea Open Source Git Server product, specifically all releases through 1.26.1. Users running these or earlier versions are at risk.
Risk and Exploitability
The CVSS score of 4.3 indicates moderate severity; the EPSS score is < 1%, indicating a very low but nonzero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalogue. Attackers can exploit this remotely by presenting a valid API token to the user organization endpoint, bypassing the public‑only filter. Based on the description, it is inferred that the attacker must possess a valid API token, and no special network configuration beyond the ability to communicate with the Gitea instance is required.
OpenCVE Enrichment
Github GHSA