CVE-2026-28699

Summary

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.

Affected Software

VendorProductVersion RangeStatus
GiteaGitea Open Source Git Server0 <= 1.26.1affected

Weaknesses

  • CWE-284: Improper Access Control
  • CWE-863: Incorrect Authorization

References