CVE-2026-20706
Gitea · Open Source Git Server
A security flaw in Gitea allows unauthorized users to bypass token scope checks when downloading repository archives via the web interface.
Executive summary
An authorization bypass in Gitea Open Source Git Server allows unauthorized access to repository archives, leading to potential exposure of sensitive source code.
Vulnerability
The vulnerability exists in the web archive download endpoint, which fails to correctly enforce token scope checks. This allows an unauthenticated or unauthorized user to download repository archives that should be restricted based on their security token permissions.
Business impact
The CVSS score of 9.1 (Critical) underscores the severity of this unauthorized data access. If exploited, an attacker could exfiltrate proprietary source code, intellectual property, or sensitive configuration data, resulting in significant business impact and potential regulatory non-compliance.
Remediation
Immediate Action: Patch the Gitea installation to version 1.26.2 or later to restore proper enforcement of token scope checks.
Proactive Monitoring: Audit access logs for unusual patterns of archive download requests, especially those originating from unauthorized or unexpected IP addresses.
Compensating Controls: Restrict access to the repository archive download endpoint via network-level controls or WAF rules if the update cannot be applied immediately.
Exploitation status
Public Exploit Available: True
Analyst recommendation
Given the critical nature of this vulnerability and the availability of public exploits, organizations should treat this as a high-priority update. Ensure all Gitea instances are updated to the latest version to protect source code integrity.