CVE-2026-28699
published 2026-06-16CVE-2026-28699: Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication ### Summary Gitea fails to enforce OAuth2 access token scopes when the token…
high
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication
### Summary
Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and perform write actions, including modifying profiles, adding email addresses, creating repositories, and deleting repositories as the authorizing user.
### Details
**Root cause:** `services/auth/basic.go` accepts OAuth2 access tokens through the Basic auth path but does not store the token scope in the request context:
```go
// services/auth/basic.go
if uid != 0 {
store.GetData()["LoginMethod"] = OAuth2TokenMethodName
store.GetData()["IsApiToken"] = true // scope is NOT set
return u, nil
}
```
The scope enforcement middleware in `routers/api/v1/api.go` exits early when `ApiTokenScope` is absent:
```go
// routers/api/v1/api.go — tokenRequiresScopes
scope, scopeExists := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
if ctx.Data["IsApiToken"] != true || !scopeExists {
return //
PATCH /api/v1/user/settings -> 403 Forbidden
```
**Basic | bypass:**
```
Authorization: Basic base64(:x-oauth-basic)
PATCH /api/v1/user/settings -> 200 OK
```
**All verified bypass endpoints using a `read:user`-only token:**
| Endpoint | Bearer | Basic |
|---|---|---|
| `PATCH /api/v1/user/settings` | 403 | 200 |
| `POST /api/v1/user/emails` | 403 | 200 |
| `POST /api/v1/user/repos` | 403 | 200 |
| `PATCH /api/v1/repos/{owner}/{repo}` | 403 | 200 |
| `DELETE /api/v1/repos/{owner}/{repo}` | 403 | 200 |
The bypass respects the user's normal repository permissions, it does not grant access to repositories the user cannot otherwise reach, and does not escalate to admin.
### Impact
Any OAuth2 application with any restricted scope can silently operate beyond its granted permissions by switching from Bearer to Basic auth. An attacker wAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.26.2 | 1.26.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-16
Published