CVE-2026-27761
MEDIUM
4.3
CVSS 3.1
Description
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.
Metadata
Severity & Metrics
4.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server | — | 0 ≤ 1.26.2 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-863 | cna | CWE-863 |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 4.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (4)
- GitHub Security Advisory https://github.com/go-gitea/gitea/security/advisories/GHSA-3pww-vcvm-3gmj
- GitHub Pull Request #38147 https://github.com/go-gitea/gitea/pull/38147
- Gitea v1.26.3 Release https://github.com/go-gitea/gitea/releases/tag/v1.26.3
- Gitea v1.26.4 Release Blog Post https://blog.gitea.com/release-of-1.26.3-and-1.26.4/