3 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the handling of token scope restrictions in the /api/v1/user route group. An attacker can gain unauthorized access to or modify private account resources by using a token or OAuth grant marked as public-only,...
GHSA-WRR5-99H5-GQ57 Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
Summary Many authenticated self routes under /api/v1/user/... do not enforce the public-only token restriction. As a result, a token or OAuth grant marked public-only, but otherwise carrying the route-required read/write scope category, can access or modify private account resources through self...
PT-2026-50584
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Description Authenticated self routes under the /api/v1/user/... group do not properly enforce the public-only token restriction. This allows a token or OAuth grant marked as public-only to access or modify priva...