cbcvebase.
CVE-2026-28699
published 2026-06-16

CVE-2026-28699: Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication ### Summary Gitea fails to enforce OAuth2 access token scopes when the token…

high
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication

### Summary

Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and perform write actions, including modifying profiles, adding email addresses, creating repositories, and deleting repositories as the authorizing user.

### Details

**Root cause:** `services/auth/basic.go` accepts OAuth2 access tokens through the Basic auth path but does not store the token scope in the request context:

```go
// services/auth/basic.go
if uid != 0 {
store.GetData()["LoginMethod"] = OAuth2TokenMethodName
store.GetData()["IsApiToken"] = true // scope is NOT set
return u, nil
}
```

The scope enforcement middleware in `routers/api/v1/api.go` exits early when `ApiTokenScope` is absent:

```go
// routers/api/v1/api.go — tokenRequiresScopes
scope, scopeExists := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
if ctx.Data["IsApiToken"] != true || !scopeExists {
return //
PATCH /api/v1/user/settings -> 403 Forbidden
```

**Basic | bypass:**
```
Authorization: Basic base64(:x-oauth-basic)
PATCH /api/v1/user/settings -> 200 OK
```

**All verified bypass endpoints using a `read:user`-only token:**

| Endpoint | Bearer | Basic |
|---|---|---|
| `PATCH /api/v1/user/settings` | 403 | 200 |
| `POST /api/v1/user/emails` | 403 | 200 |
| `POST /api/v1/user/repos` | 403 | 200 |
| `PATCH /api/v1/repos/{owner}/{repo}` | 403 | 200 |
| `DELETE /api/v1/repos/{owner}/{repo}` | 403 | 200 |

The bypass respects the user's normal repository permissions, it does not grant access to repositories the user cannot otherwise reach, and does not escalate to admin.

### Impact

Any OAuth2 application with any restricted scope can silently operate beyond its granted permissions by switching from Bearer to Basic auth. An attacker w

Affected

1 ranges
VendorProductVersion rangeFixed in
code.gitea.iogitea>= 0 < 1.26.21.26.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.