CVE-2026-26231
published 2026-06-16CVE-2026-26231: Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo ## Summary Any authenticated low-privilege user…
high
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo ## Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. ## Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: 1. The web UI PR-create endpoint binds `allow_maintainer_edit=true` **without** verifying that the submitter has write access to the HEAD repository. 2. Gitea allows creating a PR where **BASE = attacker's fork** and **HEAD = upstream target**. The attacker is "maintainer" of the BASE (their own fork), so the flag is set against the upstream HEAD. 3. On `git push` over HTTP/SSH, Gitea relaxes the required access mode to `Read` when `SupportProcReceive` is enabled ([`routers/web/repo/githttp.go`](https://github.com/go-gitea/gitea/blob/v1.25.5/routers/web/repo/githttp.go#L189), [`routers/private/serv.go`](https://github.com/go-gitea/gitea/blob/v1.25.5/routers/private/serv.go#L337)) and defers enforcement to the pre-receive hook. 4. The pre-receive hook calls [`CanMaintainerWriteToBranch`](https://github.com/go-gitea/gitea/blob/v1.25.5/models/issues/pull_list.go#L72) (`models/issues/pull_list.go`), which finds the malicious PR, sees `AllowMaintainerEdit=true`, and checks whether the pusher has write access to the **BASE** repo. Since BASE is the attacker's own fork, the check passes and the push is authorized against the upstream. ## Exploitation 1. Attacker forks the target repository. 2. Attacker visits the web compare endpoint and creates a PR with `BASE = their_fork`, `HEAD = upstream`, and "Allow edits from maintainers" checked. 3. Attacker clones their fork, makes a commit, and runs `git push ` — the push is accepted. ## Reproduction ```bash python3 poc.py --repo http://gitea:3000/victim/repo --user attacker --password attacker_pass ``` [poc.py](https://github.com/user-attach
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.26.2 | 1.26.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-16
Published