CVE-2026-25714
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
A vulnerability in Gitea up to version 1.26.1 causes inconsistent filtering of public-only tokens in the user organization API, leaving an incomplete fix for CVE-2025-68941.
Risk Assessment
The risk involves potential unauthorized access to organization data via tokens that should be restricted to public-only operations, possibly leading to sensitive information disclosure.
Recommendation
It is recommended to immediately upgrade Gitea to a version later than 1.26.1 that includes a complete fix for this issue.
Original NVD description (English source)
Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an incomplete fix for CVE-2025-68941.

