CVE-2026-27761
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
A vulnerability in Gitea up to version 1.26.2 allows repository RSS and Atom feed endpoints to bypass API access token scope checks. This exposes private repository commit data to tokens lacking the required repository scope.
Risk Assessment
The organization risks leakage of confidential data from private repositories, such as commit contents, to unauthorized API tokens. This could lead to a breach of source code confidentiality and other sensitive information.
Recommendation
Immediately upgrade Gitea to version 1.26.3 or later, which includes a fix for this vulnerability. Until the update is applied, restrict access to RSS/Atom feed endpoints for low-scope API tokens.
Original NVD description (English source)
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.

