{"api_version":"1","generated_at":"2026-07-04T16:59:52+00:00","cve":"CVE-2026-27761","urls":{"html":"https://cve.report/CVE-2026-27761","api":"https://cve.report/api/cve/CVE-2026-27761.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-27761","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-27761"},"summary":{"title":"Gitea repository feeds bypass API token scope enforcement","description":"Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.","state":"PUBLISHED","assigner":"Gitea","published_at":"2026-07-03 21:16:58","updated_at":"2026-07-03 21:16:58"},"problem_types":["CWE-863","CWE-863 CWE-863"],"metrics":[{"version":"3.1","source":"88ee5874-cf24-4952-aea0-31affedb7ff2","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/go-gitea/gitea/pull/38147","name":"https://github.com/go-gitea/gitea/pull/38147","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://blog.gitea.com/release-of-1.26.3-and-1.26.4/","name":"https://blog.gitea.com/release-of-1.26.3-and-1.26.4/","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/go-gitea/gitea/releases/tag/v1.26.3","name":"https://github.com/go-gitea/gitea/releases/tag/v1.26.3","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/go-gitea/gitea/security/advisories/GHSA-3pww-vcvm-3gmj","name":"https://github.com/go-gitea/gitea/security/advisories/GHSA-3pww-vcvm-3gmj","refsource":"88ee5874-cf24-4952-aea0-31affedb7ff2","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-27761","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27761","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Gitea","product":"Gitea Open Source Git Server","version":"affected 1.26.2 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"babakizo420","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Gitea Open Source Git Server","vendor":"Gitea","versions":[{"lessThanOrEqual":"1.26.2","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"babakizo420"}],"descriptions":[{"lang":"en","value":"Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T20:19:36.576Z","orgId":"88ee5874-cf24-4952-aea0-31affedb7ff2","shortName":"Gitea"},"references":[{"name":"GitHub Security Advisory","tags":["vendor-advisory"],"url":"https://github.com/go-gitea/gitea/security/advisories/GHSA-3pww-vcvm-3gmj"},{"name":"GitHub Pull Request #38147","tags":["patch"],"url":"https://github.com/go-gitea/gitea/pull/38147"},{"name":"Gitea v1.26.3 Release","tags":["release-notes"],"url":"https://github.com/go-gitea/gitea/releases/tag/v1.26.3"},{"name":"Gitea v1.26.4 Release Blog Post","tags":["release-notes"],"url":"https://blog.gitea.com/release-of-1.26.3-and-1.26.4/"}],"title":"Gitea repository feeds bypass API token scope enforcement","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"88ee5874-cf24-4952-aea0-31affedb7ff2","assignerShortName":"Gitea","cveId":"CVE-2026-27761","datePublished":"2026-07-03T20:19:36.576Z","dateReserved":"2026-03-03T03:26:00.375Z","dateUpdated":"2026-07-03T20:19:36.576Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 21:16:58","lastModifiedDate":"2026-07-03 21:16:58","problem_types":["CWE-863","CWE-863 CWE-863"],"metrics":{"cvssMetricV31":[{"source":"88ee5874-cf24-4952-aea0-31affedb7ff2","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"27761","Ordinal":"1","Title":"Gitea repository feeds bypass API token scope enforcement","CVE":"CVE-2026-27761","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"27761","Ordinal":"1","NoteData":"Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.","Type":"Description","Title":"Gitea repository feeds bypass API token scope enforcement"}]}}}