CVE Catalog

CVE-2026-28744

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

A vulnerability in Gitea up to version 1.26.1 allows Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks.

Risk Assessment

An attacker with a valid bearer token can gain unauthorized access to repositories outside the token's intended scope, leading to data leakage or unauthorized modifications.

Recommendation

Upgrade Gitea to version 1.26.2 or later immediately, which includes a fix for this vulnerability.

Original NVD description (English source)

Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS