cbcvebase.
CVE-2026-26231
published 2026-06-16

CVE-2026-26231: Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo ## Summary Any authenticated low-privilege user…

high
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo

## Summary

Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks.

## Vulnerability

Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs:

1. The web UI PR-create endpoint binds `allow_maintainer_edit=true` **without** verifying that the submitter has write access to the HEAD repository.
2. Gitea allows creating a PR where **BASE = attacker's fork** and **HEAD = upstream target**. The attacker is "maintainer" of the BASE (their own fork), so the flag is set against the upstream HEAD.
3. On `git push` over HTTP/SSH, Gitea relaxes the required access mode to `Read` when `SupportProcReceive` is enabled ([`routers/web/repo/githttp.go`](https://github.com/go-gitea/gitea/blob/v1.25.5/routers/web/repo/githttp.go#L189), [`routers/private/serv.go`](https://github.com/go-gitea/gitea/blob/v1.25.5/routers/private/serv.go#L337)) and defers enforcement to the pre-receive hook.
4. The pre-receive hook calls [`CanMaintainerWriteToBranch`](https://github.com/go-gitea/gitea/blob/v1.25.5/models/issues/pull_list.go#L72) (`models/issues/pull_list.go`), which finds the malicious PR, sees `AllowMaintainerEdit=true`, and checks whether the pusher has write access to the **BASE** repo. Since BASE is the attacker's own fork, the check passes and the push is authorized against the upstream.

## Exploitation

1. Attacker forks the target repository.
2. Attacker visits the web compare endpoint and creates a PR with `BASE = their_fork`, `HEAD = upstream`, and "Allow edits from maintainers" checked.
3. Attacker clones their fork, makes a commit, and runs `git push ` — the push is accepted.

## Reproduction

```bash
python3 poc.py --repo http://gitea:3000/victim/repo --user attacker --password attacker_pass
```
[poc.py](https://github.com/user-attach

Affected

1 ranges
VendorProductVersion rangeFixed in
code.gitea.iogitea>= 0 < 1.26.21.26.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.