OAuth2 Token Scope Bypass in Gitea by Gitea Inc.
CVE-2026-28699

8.1HIGH

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-28699?

Gitea versions up to and including 1.26.1 are susceptible to an OAuth2 access token scope enforcement bypass. This vulnerability arises when attackers leverage HTTP Basic authentication mechanisms, allowing them to circumvent required scopes for OAuth2 tokens. This can lead to unauthorized access to resources that should be protected under the intended permissions, posing a significant security risk for users and their data. It is crucial for users to upgrade to Gitea version 1.26.2 or later to mitigate the risk associated with this vulnerability.

Affected Version(s)

Gitea Open Source Git Server 0 <= 1.26.1

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alardiians
.