CVE-2026-25714: 
취약성 분석 및 완화

CVE-2026-25714 is a missing authorization vulnerability in Gitea that allows a public-only scoped API token to access private organization data, representing an incomplete fix for CVE-2025-68941. It affects Gitea versions up to and including 1.26.1, with the patch available in version 1.26.2. The advisory was published on June 5, 2026, and reviewed in the GitHub Advisory Database on June 16, 2026. It carries a CVSS v3.1 base score of 4.3 (Moderate) (Github Advisory, Gitea Advisory).

The vulnerability is classified as CWE-862 (Missing Authorization) and stems from two related flaws in routers/api/v1/api.go. First, the /user/orgs endpoint (line 1599) is missing the checkTokenPublicOnly() middleware call that is correctly applied to the adjacent /users/{username}/orgs route, allowing public-only tokens to bypass scope enforcement on that endpoint. Second, the checkTokenPublicOnly() function uses a Go switch statement (lines 253–295) that evaluates only the first matching case; for routes with both [User, Organization] scope categories, the Organization case matches first, passes its nil-context checks, and the User visibility check is never reached, silently bypassing the restriction. Both issues were introduced by PR #32204, which was the original fix for CVE-2025-68941 (Github Advisory, Gitea Advisory).

An authenticated user holding a public-only scoped API token can enumerate private and limited-visibility organizations they belong to via the /user/orgs endpoint, violating the declared scope constraints of the token. The impact is limited to confidentiality — no data modification or service disruption is possible — but the exposure of private organization membership could facilitate reconnaissance or targeted attacks against those organizations. Integrity and availability are not affected (Github Advisory).

1. Obtain a public-only scoped token: Log into a Gitea instance running version ≤ 1.26.1, navigate to Settings > Applications, create a new API token, and check the "public only" scope option.
2. Call the vulnerable endpoint: Issue a request to the /user/orgs API endpoint using the public-only token:

   curl -H "Authorization: token <PUBLIC_ONLY_TOKEN>" https://gitea.example.com/api/v1/user/orgs

3. Observe unauthorized data: The response will include private and limited-visibility organizations the token owner belongs to, which should have been filtered out by the public-only scope enforcement.
4. Leverage enumerated data: Use the list of private organizations for reconnaissance — identifying internal project names, team structures, or other sensitive organizational metadata (Github Advisory, Gitea Advisory).

• Network: Repeated or automated API requests to /api/v1/user/orgs from a single token or IP address, particularly outside normal usage patterns.
• Logs: Gitea access logs showing requests to /api/v1/user/orgs authenticated with tokens that have public-only scope returning HTTP 200 responses with private organization data.
• Application: Audit log entries for API token usage where a public-only scoped token is querying organization membership endpoints at unusual frequency or times.

Upgrade Gitea to version 1.26.2, which adds checkTokenPublicOnly() to the /user/orgs route and replaces the flawed switch statement with a loop that evaluates all scope categories. As a temporary workaround until patching is feasible, restrict the issuance of public-only scoped tokens and audit existing public-only tokens for unauthorized access to private organization data. Revoking public-only tokens that are not strictly necessary reduces the attack surface (Github Advisory, Gitea Advisory).

The advisory was published by Gitea maintainer lunny and credited to reporter Medoedus. No significant broader media coverage or notable researcher commentary beyond the official advisory has been identified at this time (Gitea Advisory).