CVE-2026-20706: Gitea: Token scope bypass on web archive download endpoint

June 16, 2026

PR #37698 added checkDownloadTokenScope to /raw/, /media/, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2 (registered at routers/web/web.go:1649-1652) but does not call checkDownloadTokenScope or CheckRepoScopedToken.

A personal access token with any non-repository scope (e.g., read:issue or read:misc) can download full repository archives (zip/tar.gz) of private repositories the token owner has access to.

References

github.com/advisories/GHSA-cr4g-f395-h25h
github.com/go-gitea/gitea/security/advisories/GHSA-cr4g-f395-h25h
nvd.nist.gov/vuln/detail/CVE-2026-20706

Code Behaviors & Features

Detect and mitigate CVE-2026-20706 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →