CVE-2026-28744: Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens

June 16, 2026

Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — CheckRepoScopedToken() returns early unless ctx.IsBasicAuth is true — so the same token sent as Authorization: Bearer <token> bypasses the scope check entirely.

As a result, a PAT or OAuth2 token presented as a Bearer credential can clone or fetch private repositories without the read:repository scope, and likewise reach the Git push without write:repository.

References

github.com/advisories/GHSA-cc8w-r4qh-3v65
github.com/go-gitea/gitea/security/advisories/GHSA-cc8w-r4qh-3v65
nvd.nist.gov/vuln/detail/CVE-2026-28744

Code Behaviors & Features

Detect and mitigate CVE-2026-28744 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →