CVE-2026-27783
published 2026-06-16CVE-2026-27783: Gitea: Missing repository-unit authorization on issue-template API endpoints ## Summary Three Gitea API endpoints — `GET…
medium
Gitea: Missing repository-unit authorization on issue-template API endpoints
## Summary
Three Gitea API endpoints — `GET /repos/{owner}/{repo}/issue_templates`,
`GET /repos/{owner}/{repo}/issue_config` and `GET /repos/{owner}/{repo}/issue_config/validate`
— read files from the repository's **Code** default branch (`.gitea/ISSUE_TEMPLATE/*`
and `issue_config.yaml`) and return their contents, but are registered **without**
the `reqRepoReader(unit.TypeCode)` authorization middleware that every sibling
Code-tree endpoint in the same route group carries.
A user who has access to a private repository through *any single repository unit*
(for example an organization team granted only the **Issues** unit, with no Code
access) can therefore read the issue-template and issue-config files of that
repository's Code tree, which their permission set should not expose.
---
## Root cause
### The three endpoints lack the unit guard
`routers/api/v1/api.go:1433-1437`:
m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)
m.Get("/issue_config", context.ReferencesGitRepo(), repo.GetIssueConfig)
m.Get("/issue_config/validate", context.ReferencesGitRepo(), repo.ValidateIssueConfig)
m.Get("/languages", reqRepoReader(unit.TypeCode), repo.GetLanguages)
m.Get("/licenses", reqRepoReader(unit.TypeCode), repo.GetLicenses)
`context.ReferencesGitRepo()` only opens the git repository — it performs no
permission check. Every other endpoint in this group that reads Code-tree content
is guarded with `reqRepoReader(unit.TypeCode)`: `/languages`, `/licenses`,
`/contents/*`, `/file-contents`, and `/{ball_type:tarball|zipball|bundle}/*`
(api.go:1418-1445). The three issue-template endpoints are the only Code-tree
readers in the group missing that guard.
The enclosing group runs `repoAssignment()` (api.go:1446), whose access check is
satisfied by `HasAnyUnitAccessOrPublicAccess` — i.e. access to **any** unit of the
repository is sufficient to pass. Without a per-unit `reqAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.26.2 | 1.26.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-16
Published