3 matches found
CVE-2026-25714
Gitea is vulnerable to CVE-2026-25714: versions up to 1.26.1 do not consistently apply public-only token filtering in the user orgs API, leaving an incomplete fix for CVE-2025-68941. This allows a public-only token to enumerate private organizations belonging to the token owner, violating scope r...
GHSA-8629-VC8R-5P58 Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Summary Two related issues in the token public-only scope enforcement introduced by PR 32204 CVE-2025-68941 fix. A public-only scoped API token can access private organization data. Issue 1: /user/orgs missing checkTokenPublicOnly routers/api/v1/api.go line 1599: go m.Get"/user/orgs", reqToken,...
PT-2026-50135
Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An issue exists in the token public-only scope enforcement where a public-only scoped API token can access private organization data. This occurs due to two flaws: the endpoint '/user/orgs' is...