CVE Catalog

CVE-2026-28699

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.57%

43th percentile — higher than 43% of all known CVEs

Summary

A vulnerability in Gitea up to version 1.26.1 allows bypassing OAuth2 access token scope enforcement via HTTP Basic authentication.

Risk Assessment

An attacker can gain unauthorized access to resources protected by OAuth2 tokens, leading to data confidentiality and integrity breaches.

Recommendation

It is recommended to immediately upgrade Gitea to version 1.26.2 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS