Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27660

CVE-2026-27660: Gitea Auth Bypass Vulnerability

CVE-2026-27660 is an authentication bypass vulnerability in Gitea that allows unauthorized access to draft release data and attachments. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-27660 Overview

CVE-2026-27660 is a broken access control vulnerability [CWE-284] in Gitea, an open-source self-hosted Git service. Versions prior to 1.25.5 allow draft release data and attachments to be accessed without the required write permission. The flaw exposes pre-release repository content to users who should not have visibility into unpublished material.

The issue is network-exploitable, requires no authentication, and no user interaction. Successful exploitation impacts data integrity by exposing draft release artifacts intended to remain restricted to maintainers.

Critical Impact

Unauthorized users can read draft release data and attached files from Gitea repositories, potentially exposing unreleased code, binaries, or sensitive project artifacts before intended publication.

Affected Products

  • Gitea versions prior to 1.25.5
  • Self-hosted Gitea instances exposing repository release endpoints
  • Gitea deployments serving repositories with draft releases containing attachments

Discovery Timeline

  • 2026-07-03 - CVE-2026-27660 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-27660

Vulnerability Analysis

Gitea supports a draft release workflow where maintainers stage release notes, binaries, and attachments before public publication. Draft releases must remain restricted to users holding write permission on the repository. In versions before 1.25.5, the release retrieval endpoints do not consistently enforce this permission check for draft-state releases.

As a result, requests to draft release resources succeed even when issued by users with only read access, or in some configurations by unauthenticated visitors on public repositories. Both the release metadata and any attached files can be retrieved through the affected endpoints.

The vendor addressed the issue in Gitea 1.25.5 via GitHub Pull Request #36659 and GitHub Pull Request #36715, which add the missing write-permission verification for draft release access paths.

Root Cause

The root cause is improper access control [CWE-284] in the release handling logic. Authorization checks that verified whether a caller had write permission were missing or incorrectly scoped in the code paths serving draft releases and their attachments. Draft state is a maintainer-only condition, so any handler exposing draft content must enforce write-level authorization before returning data.

Attack Vector

An attacker with network access to a Gitea instance sends an HTTP request to the release or attachment API endpoints referencing a draft release. Because the permission check is absent, the server returns the draft metadata or attachment content. The attacker does not need to authenticate as a maintainer and does not need to trick a user into any action. See the Gitea Blog Release Announcement for release context.

The vulnerability manifests in the release API handlers. No verified public proof-of-concept code is available. Refer to the linked pull requests for the exact code paths that were modified.

Detection Methods for CVE-2026-27660

Indicators of Compromise

  • Unexpected HTTP 200 responses to /api/v1/repos/{owner}/{repo}/releases calls from accounts lacking write permission
  • Access log entries showing downloads of attachment URLs tied to releases that were never published
  • Requests to release IDs by users who do not appear in the repository collaborators list

Detection Strategies

  • Review Gitea access logs for read access to release endpoints followed by attachment fetches from non-maintainer accounts
  • Correlate repository collaborator membership against the set of users who retrieved release metadata or attachment blobs
  • Alert on anonymous requests to release attachment paths on repositories that have draft releases configured

Monitoring Recommendations

  • Enable Gitea request logging at a verbosity that captures endpoint path, user identity, and HTTP status
  • Forward Gitea logs to a centralized SIEM or data lake for permission-aware correlation against repository membership
  • Track version banners exposed by Gitea instances to identify hosts still running releases below 1.25.5

How to Mitigate CVE-2026-27660

Immediate Actions Required

  • Upgrade all Gitea instances to version 1.25.5 or later using the artifacts from the Gitea Release Tag v1.25.5
  • Audit existing draft releases and rotate or invalidate any secrets, tokens, or unreleased binaries that may have been exposed
  • Restrict network exposure of Gitea administrative and API endpoints to trusted networks until the upgrade completes

Patch Information

Gitea 1.25.5 contains the fix. The permission enforcement changes are implemented in GitHub Pull Request #36659 and GitHub Pull Request #36715. Administrators should validate the running version after upgrade with gitea --version and confirm the release notes align with the Gitea Blog Release Announcement.

Workarounds

  • Avoid using the draft release feature until the upgrade is applied; publish releases directly or stage them in a private repository
  • Remove sensitive attachments from any existing draft releases and store them outside Gitea until patched
  • Restrict repository visibility to authenticated collaborators only, reducing the exposed attack surface for anonymous requests
bash
# Upgrade example for a binary Gitea installation
systemctl stop gitea
cp /usr/local/bin/gitea /usr/local/bin/gitea.bak
curl -L -o /usr/local/bin/gitea \
  https://github.com/go-gitea/gitea/releases/download/v1.25.5/gitea-1.25.5-linux-amd64
chmod +x /usr/local/bin/gitea
systemctl start gitea
gitea --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.