Authentication Bypass in Gitea Affects Git Smart HTTP Requests
CVE-2026-28744

8.1HIGH

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-28744?

Gitea versions up to and including 1.26.1 are susceptible to an authentication bypass issue that allows Git smart HTTP requests authenticated with bearer tokens to evade repository token scope checks. This vulnerability could enable unauthorized access to repositories, thereby compromising sensitive data. Users are encouraged to upgrade to version 1.26.2 or later to mitigate this risk.

Affected Version(s)

Gitea Open Source Git Server 0 <= 1.26.1

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ohxorud-dev
lunny
.