CVE Catalog
CVE-2026-28699
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk0.57%
43th percentile — higher than 43% of all known CVEs
Summary
A vulnerability in Gitea up to version 1.26.1 allows bypassing OAuth2 access token scope enforcement via HTTP Basic authentication.
Risk Assessment
An attacker can gain unauthorized access to resources protected by OAuth2 tokens, leading to data confidentiality and integrity breaches.
Recommendation
It is recommended to immediately upgrade Gitea to version 1.26.2 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.

