OAuth2 Token Scope Bypass in Gitea by Gitea Inc.
CVE-2026-28699
8.1HIGH
What is CVE-2026-28699?
Gitea versions up to and including 1.26.1 are susceptible to an OAuth2 access token scope enforcement bypass. This vulnerability arises when attackers leverage HTTP Basic authentication mechanisms, allowing them to circumvent required scopes for OAuth2 tokens. This can lead to unauthorized access to resources that should be protected under the intended permissions, posing a significant security risk for users and their data. It is crucial for users to upgrade to Gitea version 1.26.2 or later to mitigate the risk associated with this vulnerability.
Affected Version(s)
Gitea Open Source Git Server 0 <= 1.26.1
