{"api_version":"1","generated_at":"2026-07-04T19:04:34+00:00","cve":"CVE-2026-26231","urls":{"html":"https://cve.report/CVE-2026-26231","api":"https://cve.report/api/cve/CVE-2026-26231.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26231","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26231"},"summary":{"title":"Gitea maintainer-edit permissions allow unauthorized commits to readable repositories","description":"Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write.","state":"PUBLISHED","assigner":"Gitea","published_at":"2026-07-03 21:16:58","updated_at":"2026-07-03 21:16:58"},"problem_types":["CWE-863","CWE-863 CWE-863"],"metrics":[{"version":"3.1","source":"88ee5874-cf24-4952-aea0-31affedb7ff2","type":"Secondary","score":"8.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.5,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/go-gitea/gitea/pull/37484","name":"https://github.com/go-gitea/gitea/pull/37484","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/go-gitea/gitea/pull/37479","name":"https://github.com/go-gitea/gitea/pull/37479","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://blog.gitea.com/release-of-1.26.2/","name":"https://blog.gitea.com/release-of-1.26.2/","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/go-gitea/gitea/releases/tag/v1.26.2","name":"https://github.com/go-gitea/gitea/releases/tag/v1.26.2","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/go-gitea/gitea/security/advisories/GHSA-mm7c-rhg6-qr4r","name":"https://github.com/go-gitea/gitea/security/advisories/GHSA-mm7c-rhg6-qr4r","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26231","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26231","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Gitea","product":"Gitea Open Source Git Server","version":"affected 1.26.1 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"ddd","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Gitea Open Source Git Server","vendor":"Gitea","versions":[{"lessThanOrEqual":"1.26.1","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"ddd"}],"descriptions":[{"lang":"en","value":"Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.5,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T20:19:34.133Z","orgId":"88ee5874-cf24-4952-aea0-31affedb7ff2","shortName":"Gitea"},"references":[{"name":"GitHub Security Advisory","tags":["vendor-advisory"],"url":"https://github.com/go-gitea/gitea/security/advisories/GHSA-mm7c-rhg6-qr4r"},{"name":"GitHub Pull Request #37479","tags":["patch"],"url":"https://github.com/go-gitea/gitea/pull/37479"},{"name":"GitHub Pull Request #37484","tags":["patch"],"url":"https://github.com/go-gitea/gitea/pull/37484"},{"name":"Gitea v1.26.2 Release","tags":["release-notes"],"url":"https://github.com/go-gitea/gitea/releases/tag/v1.26.2"},{"name":"Gitea v1.26.2 Release Blog Post","tags":["release-notes"],"url":"https://blog.gitea.com/release-of-1.26.2/"}],"title":"Gitea maintainer-edit permissions allow unauthorized commits to readable repositories","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"88ee5874-cf24-4952-aea0-31affedb7ff2","assignerShortName":"Gitea","cveId":"CVE-2026-26231","datePublished":"2026-07-03T20:19:34.133Z","dateReserved":"2026-03-03T03:25:59.965Z","dateUpdated":"2026-07-03T20:19:34.133Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 21:16:58","lastModifiedDate":"2026-07-03 21:16:58","problem_types":["CWE-863","CWE-863 CWE-863"],"metrics":{"cvssMetricV31":[{"source":"88ee5874-cf24-4952-aea0-31affedb7ff2","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.7}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26231","Ordinal":"1","Title":"Gitea maintainer-edit permissions allow unauthorized commits to ","CVE":"CVE-2026-26231","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26231","Ordinal":"1","NoteData":"Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write.","Type":"Description","Title":"Gitea maintainer-edit permissions allow unauthorized commits to "}]}}}