CVE Catalog
CVE-2026-28744
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk0.34%
26th percentile — higher than 26% of all known CVEs
Summary
A vulnerability in Gitea up to version 1.26.1 allows Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks.
Risk Assessment
An attacker with a valid bearer token can gain unauthorized access to repositories outside the token's intended scope, leading to data leakage or unauthorized modifications.
Recommendation
Upgrade Gitea to version 1.26.2 or later immediately, which includes a fix for this vulnerability.
Original NVD description (English source)
Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks.

