CVE-2026-26231

Gitea · Gitea Open Source Git Server

Gitea is susceptible to an authorization bypass where authenticated low-privilege users can push unauthorized commits to repositories by abusing the pull request maintainer edit flag.

Executive summary

A critical authorization bypass vulnerability in Gitea allows authenticated low-privileged users to perform unauthorized write operations on repositories.

Vulnerability

This is an authorization bypass vulnerability affecting the "Allow edits from maintainers" feature. An authenticated user with read-only access can exploit this by using reverse-fork pull requests to push commits to an upstream repository without proper write-access validation.

Business impact

The ability for unauthorized users to push arbitrary code to repositories poses a severe risk to software supply chain integrity. With a CVSS score of 8.5, this vulnerability could lead to the injection of malicious code, backdoors, or the corruption of production-ready source code, resulting in significant reputational damage and potential system compromise.

Remediation

Immediate Action: Upgrade all Gitea instances to version 1.26.2 or later to resolve the authorization logic flaw.

Proactive Monitoring: Review repository commit logs for suspicious activity or unexpected contributions from users who do not hold write permissions.

Compensating Controls: Strictly enforce branch protection rules and require signed commits to ensure that only authorized changes are merged into critical branches.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS score of 8.5, this vulnerability represents a significant risk to development environments. Organizations should prioritize the update to Gitea 1.26.2 immediately to prevent unauthorized code injection and maintain the integrity of their Git workflows.