CVE-2026-26231: 
Analyse et atténuation des vulnérabilités

CVE-2026-26231 is an authorization bypass vulnerability in Gitea titled "Authorization Bypass via 'Allow edits from maintainers' allows unauthorized commits to any readable repo." Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. It affects Gitea versions up to and including 1.26.1, with the patch released in version 1.26.2. The advisory was first published on June 5, 2026, and added to the GitHub Advisory Database on June 16, 2026. It carries a CVSS v3.1 base score of 8.5 (High) (Github Advisory, Gitea Advisory).

The vulnerability is classified as CWE-863 (Incorrect Authorization) and stems from two missing validation checks in Gitea's pull request and push handling logic. First, the web UI PR-create endpoint sets allow_maintainer_edit=true without verifying that the submitter has write access to the HEAD repository. Second, when SupportProcReceive is enabled, Gitea relaxes the required push access mode to Read (in routers/web/repo/githttp.go and routers/private/serv.go) and defers enforcement to the pre-receive hook. The pre-receive hook's CanMaintainerWriteToBranch function (in models/issues/pull_list.go) then checks write access against the BASE repository — which is the attacker's own fork — rather than the upstream HEAD repository, allowing the push to succeed. A public proof-of-concept Python script (poc.py) is included in the advisory and demonstrates full exploitation (Github Advisory, Gitea Advisory).

Successful exploitation results in full repository compromise: any authenticated user — including those with only read access — can push arbitrary commits to any readable repository on the Gitea instance, including all public repositories. This allows attackers to backdoor source code, inject malicious dependencies, tamper with release artifacts, or corrupt project history without any write permissions. The integrity impact is high, with a secondary low confidentiality impact (e.g., access to repository metadata during the exploit flow), and the scope is changed since the attacker's actions affect resources beyond their own fork (Github Advisory).

1. Reconnaissance: Identify a target Gitea instance running version ≤ 1.26.1. Enumerate public or readable repositories that the attacker does not have write access to.
2. Fork the target repository: Using a low-privilege attacker account, fork the victim's repository (e.g., victim/repo) to create attacker/repo_pocfork.
3. Create a reverse-fork PR: Navigate to the web compare endpoint and create a pull request with BASE = attacker/repo_pocfork (the attacker's fork) and HEAD = victim/repo (the upstream target). Enable the "Allow edits from maintainers" checkbox. This sets AllowMaintainerEdit=true against the upstream HEAD without verifying write access.
4. Clone the fork and make a malicious commit: Clone attacker/repo_pocfork locally, add a malicious file or code change (e.g., PWNED.txt or a backdoored dependency), and commit it.
5. Push to the upstream: Run git push targeting the upstream repository URL (e.g., http://gitea:3000/victim/repo.git). Gitea's pre-receive hook calls CanMaintainerWriteToBranch, finds the malicious PR with AllowMaintainerEdit=true, checks write access against the BASE (attacker's fork), and incorrectly authorizes the push.
6. Confirm compromise: The commit appears on the upstream repository's default branch, committed by the attacker account with no legitimate write access. This can be automated using the provided poc.py script: python3 poc.py --repo http://gitea:3000/victim/repo --user attacker --password attacker_pass (Github Advisory, Gitea Advisory).

• Logs: Gitea access logs showing a git push (HTTP POST to /victim/repo.git/git-receive-pack) from a user account that has no write permissions to the target repository; SSH push events from low-privilege users to repositories they do not own.
• Logs: Pull request creation logs showing a PR where BASE is a fork owned by the pusher and HEAD is an upstream repository the pusher does not have write access to, with allow_maintainer_edit=true.
• Repository Activity: Unexpected commits appearing on a repository's default branch authored by accounts that are not listed as collaborators or contributors with write access; commit messages such as 'PoC: unauthorized commit via maintainer-edit bypass' or unexpected files like PWNED.txt.
• Network: HTTP POST requests to /compare or PR-creation endpoints with allow_maintainer_edit=true parameters from low-privilege user accounts, followed shortly by push requests to upstream repositories.
• File System: Unexpected new files or modified source files (e.g., backdoored dependencies, injected scripts) in repository working trees on the Gitea server (Github Advisory).

Gitea has released version 1.26.2 which patches this vulnerability; all users running version 1.26.1 or earlier should upgrade immediately. The fix requires two independent checks: (1) at PR creation, verify the submitter has write access to the HEAD repository before setting AllowMaintainerEdit=true; and (2) in CanMaintainerWriteToBranch, verify that the PR's HEAD repo matches the repository being pushed to and that the PR was opened by a legitimate owner or writer of the HEAD repository. No configuration-based workaround is documented; upgrading to 1.26.2 is the only recommended remediation (Github Advisory, Gitea Advisory).

The advisory was published by Gitea maintainer lunny on June 5, 2026, and added to the GitHub Advisory Database on June 16, 2026. The Gitea release blog announced version 1.26.2 as the patched release. No significant broader media coverage or notable independent researcher commentary has been identified beyond the official advisory at this time (Gitea Release Blog, Github Advisory).