CVE-2025-68941 Overview
CVE-2025-68941 is an improper authorization vulnerability in Gitea, an open-source self-hosted Git service. Gitea versions before 1.22.3 mishandle access checks when an API token scoped to public resources is used against private resources. Attackers with a public-scope token can retrieve information they should not be authorized to access. The flaw is tracked under CWE-863: Incorrect Authorization and affects the confidentiality of private repositories and related resources.
Critical Impact
An API token limited to public resources can be used to access private resources, breaking the token scope boundary and exposing confidential repository data.
Affected Products
- Gitea versions prior to 1.22.3
- Self-hosted Gitea instances exposing the REST API
- Gitea deployments issuing scoped personal access tokens
Discovery Timeline
- 2025-12-26 - CVE-2025-68941 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68941
Vulnerability Analysis
Gitea supports scoped API tokens that restrict what a token can read or write. A token can be issued with a scope limited to public resources only. The vulnerability stems from an incomplete authorization check in the API request handler. When a request presented a public-scope token, the code failed to reject access to resources marked as private.
As a result, a caller holding a public-only token could enumerate or read private repository metadata and content belonging to the token owner or accessible to that user. The scope constraint intended to reduce token blast radius was not enforced consistently across API routes. The issue is a logic flaw, not a memory safety or injection defect.
Root Cause
The root cause is missing scope validation between the token's declared permission and the visibility attribute of the target resource. The authorization layer verified user access rights but did not cross-check the token scope against the resource's public or private classification. This gap allowed the token to inherit the underlying user's full read privileges rather than remaining bound to public data. The fix landed in Gitea Pull Request #32218 and shipped in the Gitea 1.22.3 release.
Attack Vector
Exploitation requires network access to the Gitea API and possession of a valid public-scope API token. An attacker who obtains or is granted such a token, for example through a compromised CI system or a third-party integration, can call private-resource endpoints and receive data. No user interaction and no elevated privileges are required beyond the token itself.
No public proof-of-concept code has been published. The vulnerability is described in prose in the vendor advisory rather than through a released exploit. See the Gitea 1.22.3 release notes for the fix reference.
Detection Methods for CVE-2025-68941
Indicators of Compromise
- API access logs showing tokens with public-only scope successfully reading endpoints tied to private repositories.
- Unexpected 200 OK responses on /api/v1/repos/{owner}/{private-repo} calls when the requesting token should be limited to public data.
- Sudden increases in API read volume from integration accounts or CI service tokens.
Detection Strategies
- Audit the Gitea instance version and confirm it is 1.22.3 or later.
- Correlate API access logs with the token scope registry to flag any private-resource access performed by public-scope tokens.
- Review token issuance records for tokens created before the patch date and rotate them.
Monitoring Recommendations
- Forward Gitea API and application logs to a centralized log platform for retention and query.
- Alert on API responses that return private repository payloads to callers that should be restricted by scope.
- Track authentication events per token identifier to spot anomalous read patterns.
How to Mitigate CVE-2025-68941
Immediate Actions Required
- Upgrade Gitea to version 1.22.3 or later on all self-hosted instances.
- Revoke and reissue existing API tokens, especially those advertised as scoped to public resources.
- Review historical API access logs for signs of private-resource reads by public-scope tokens.
Patch Information
The fix is included in Gitea 1.22.3. The upstream change is available in Gitea Pull Request #32218 and referenced in the Gitea 1.22.3 release announcement. Administrators should apply the vendor-supplied release for their deployment method, whether binary, Docker image, or package repository.
Workarounds
- Avoid issuing tokens with public-only scope until the upgrade is complete, and instead rely on short-lived, tightly scoped credentials.
- Restrict network access to the Gitea API to trusted networks and identity-verified clients.
- Set repository visibility to private only where required and audit membership on sensitive repositories to reduce exposure surface.
# Verify installed Gitea version and upgrade path
gitea --version
# Expected output should show 1.22.3 or later after upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

