Description
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
Problem types
Product status
Any version
Credits
Alardiians
References
github.com/.../gitea/security/advisories/GHSA-9r5x-wg6m-x2rc
github.com/.../gitea/security/advisories/GHSA-9r5x-wg6m-x2rc (GitHub Security Advisory)
github.com/go-gitea/gitea/pull/37503 (GitHub Pull Request #37503)
github.com/go-gitea/gitea/releases/tag/v1.26.2 (Gitea v1.26.2 Release)
blog.gitea.com/release-of-1.26.2/ (Gitea v1.26.2 Release Blog Post)