CVE-2026-28699: Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication

June 16, 2026

Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only read:user can use the same token as Authorization: Basic base64(<token>:x-oauth-basic) and perform write actions, including modifying profiles, adding email addresses, creating repositories, and deleting repositories as the authorizing user.

References

github.com/advisories/GHSA-9r5x-wg6m-x2rc
github.com/go-gitea/gitea/security/advisories/GHSA-9r5x-wg6m-x2rc
nvd.nist.gov/vuln/detail/CVE-2026-28699

Code Behaviors & Features

Detect and mitigate CVE-2026-28699 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →