cbcvebase.
CVE-2026-28744
published 2026-06-16

CVE-2026-28744: Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens ### Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on…

high
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens

### Summary
Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless `ctx.IsBasicAuth` is true — so the same token sent as `Authorization: Bearer ` bypasses the scope check entirely.

As a result, a PAT or OAuth2 token presented as a Bearer credential can clone or fetch private repositories without the `read:repository` scope, and likewise reach the Git push without `write:repository`.

### Details
Git Smart HTTP routes allow both Basic auth and OAuth2/Bearer auth:

```go
// routers/web/web.go
addOwnerRepoGitHTTPRouters(
m,
repo.HTTPGitEnabledHandler,
webAuth.AllowBasic,
webAuth.AllowOAuth2,
repo.CorsHandler(),
optSignInFromAnyOrigin,
context.UserAssignmentWeb(),
)
```

The Git HTTP authorization path calls `CheckRepoScopedToken()` before falling through to normal repository RBAC:

```go
// routers/web/repo/githttp.go
if askAuth {
if !ctx.IsSigned {
ctx.HTTPError(http.StatusUnauthorized)
return nil
}

context.CheckRepoScopedToken(ctx, repo, auth_model.GetScopeLevelFromAccessMode(accessMode))
if ctx.Written() {
return nil
}

// normal repository RBAC follows
}
```

However, `CheckRepoScopedToken()` only enforces token scopes for Basic-authenticated requests:

```go
// services/context/permission.go
func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {
if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {
return
}

scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
if ok {
requiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)
// public-only and required repository scope checks follow
}
}
```

The Bearer/OAuth2 auth path still records the token scope:

```go
// services/auth/oauth2.

Affected

1 ranges
VendorProductVersion rangeFixed in
code.gitea.iogitea>= 0 < 1.26.21.26.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.