API Token Scope Bypass in Gitea Repository Endpoints
CVE-2026-27761
4.3MEDIUM
What is CVE-2026-27761?
Gitea versions up to and including 1.26.2 are susceptible to a security flaw that permits unauthorized access to repository RSS and Atom feed endpoints. This vulnerability allows API access tokens lacking the necessary repository scope to retrieve private commit data. As a result, sensitive information may be exposed without proper authorization checks, posing a risk to users who rely on these secured repositories.
Affected Version(s)
Gitea Open Source Git Server 0 <= 1.26.2
