CVE-2025-68941
published 2025-12-26CVE-2025-68941: Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.24%
14.7th percentile
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.22.3 | 1.22.3 |
| code.gitea.io | gitea | >= 0 < 1.26.2 | 1.26.2 |
| code.gitea.io | gitea | >= 1.22.3 < 1.26.2 | 1.26.2 |
| gitea | gitea | < 1.22.3 | 1.22.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
ghsa·2026-06-17·CVSS 5.3
CVE-2026-24791 [MEDIUM] CWE-863 Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
## Summary
Many authenticated self routes under `/api/v1/user/...` do not enforce the `public-only` token restriction. As a result, a token or OAuth grant marked `public-only`, but otherwise carrying the route-required read/write scope category, can access or modify private account resources through self routes.
The canonical private-user endpoint correctly rejects the same tokens, for example `GET /api/v1/users/{privateUser}` returns `403`. The bypass exists because the generic `/api/v1/user` route group requires user scope and `reqToken()`, but does not enforce the token's public-only restriction for most self routes.
This is a systemic token/OAuth scope-boundary bypass, not a single endpoint
GHSA
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
ghsa·2026-06-16·CVSS 5.3
CVE-2026-25714 [MEDIUM] CWE-862 Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
## Summary
Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data.
## Issue 1: /user/orgs missing checkTokenPublicOnly()
`routers/api/v1/api.go` line 1599:
```go
m.Get("/user/orgs", reqToken(), tokenRequiresScopes(
auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization,
), org.ListMyOrgs)
// Missing checkTokenPublicOnly()
```
Adjacent route at line 1603 has it:
```go
m.Group("/users/{username}/orgs", func() { ... },
..., checkTokenPublicOnly())
```
## Issue 2: checkTokenPublicOnly switch-case evaluates only first matching category
OSV
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
osv·2025-12-30
CVE-2025-68941 Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
GHSA
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
ghsa·2025-12-26
CVE-2025-68941 [MEDIUM] CWE-863 Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
OSV
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
osv·2025-12-26
CVE-2025-68941 [MEDIUM] Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
Red Hat
gitea: Gitea: Unauthorized access to private resources via public-scoped API tokens
vendor_redhat·2025-12-26·CVSS 4.9
CVE-2025-68941 [MEDIUM] CWE-863 gitea: Gitea: Unauthorized access to private resources via public-scoped API tokens
gitea: Gitea: Unauthorized access to private resources via public-scoped API tokens
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
A flaw was found in Gitea. An attacker with an API token intended for public resources could exploit this vulnerability to gain unauthorized access to private resources. This misconfiguration allows for a bypass of access controls, potentially leading to information disclosure from private repositories or other sensitive data.
Statement: This vulnerability is rated Moderate for Red Hat OpenShift Pipelines. An attacker with a public-scoped API token could gain unauthorized access to private resources due to a misconfiguration in Gitea. This affects OpenShift Pipelines in update s
No detection rules found.
No public exploits indexed.
2025-12-26
Published