CVE-2025-68941
Improper Access Control in Gitea API Allows Data Exposure
Publication date: 2025-12-26
Last updated on: 2025-12-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitea | gitea | 1.22.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Gitea before version 1.22.3 involves improper handling of API tokens that are limited to the "public only" scope. Specifically, tokens assigned with this limited scope could incorrectly gain access to private resources, bypassing intended access restrictions. The issue was due to a bug in the enforcement of token scope permissions, which was fixed by modifying API routes and code to correctly restrict such tokens to public resources only. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to private resources in Gitea when using API tokens that should only have public access. This means that an attacker or user with a token scoped for public resources might be able to access private data or perform actions beyond their intended permissions, potentially exposing sensitive information or compromising repository security. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Gitea to version 1.22.3 or later, which includes the security fix addressing the token scope handling issue. This update corrects the enforcement of the 'public only' token scope to prevent unauthorized access. Applying this update as soon as possible will mitigate the risk. [2, 3]