CVE Catalog

CVE-2026-27761

MediumCVSS 4.3
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

A vulnerability in Gitea up to version 1.26.2 allows repository RSS and Atom feed endpoints to bypass API access token scope checks. This exposes private repository commit data to tokens lacking the required repository scope.

Risk Assessment

The organization risks leakage of confidential data from private repositories, such as commit contents, to unauthorized API tokens. This could lead to a breach of source code confidentiality and other sensitive information.

Recommendation

Immediately upgrade Gitea to version 1.26.3 or later, which includes a fix for this vulnerability. Until the update is applied, restrict access to RSS/Atom feed endpoints for low-scope API tokens.

Original NVD description (English source)

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS