CVE-2026-27783: 
취약성 분석 및 완화

CVE-2026-27783 is a missing repository-unit authorization vulnerability in Gitea affecting three issue-template API endpoints. The flaw allows an authenticated user with limited repository access (e.g., Issues unit only) to read Code-tree files — specifically .gitea/ISSUE_TEMPLATE/* and issue_config.yaml — from private repositories without having Code unit permissions. It affects Gitea versions up to and including 1.26.1, with version 1.26.2 containing the fix. The vulnerability carries a CVSS v3.1 base score of 4.3 (Moderate) (GitHub Advisory, Gitea Security Advisory).

The root cause is a missing authorization middleware (CWE-862: Missing Authorization) on three API route registrations in routers/api/v1/api.go. The endpoints GET /repos/{owner}/{repo}/issue_templates, GET /repos/{owner}/{repo}/issue_config, and GET /repos/{owner}/{repo}/issue_config/validate use only context.ReferencesGitRepo(), which opens the git repository but performs no permission check, whereas all sibling Code-tree endpoints (e.g., /languages, /licenses, /contents/*) correctly include the reqRepoReader(unit.TypeCode) middleware. The enclosing route group's repoAssignment() check passes for any user with access to any repository unit, so a user granted only the Issues unit can invoke these handlers and receive Code-tree file contents in the JSON response (GitHub Advisory).

An authenticated attacker with access to a private repository through any non-Code unit (e.g., Issues only) can read the contents of .gitea/ISSUE_TEMPLATE/* and issue_config.yaml from the repository's default branch — files that may contain sensitive project configuration, internal workflow details, or metadata not intended for that user. The exposure is limited to these specific configuration files and does not allow arbitrary Code-tree access; integrity and availability are unaffected. This constitutes a unit-level authorization bypass that violates Gitea's permission model for private repositories (GitHub Advisory, Gitea Security Advisory).

1. Obtain limited access: Acquire a Gitea API token for an account that is a member of an organization team granted access to the target private repository through a non-Code unit (e.g., Issues unit only).
2. Identify target repository: Determine the owner and repository name of the private repository (e.g., victim-org/private-repo) running Gitea <= 1.26.1.
3. Send crafted API request: Issue an authenticated HTTP GET request to one of the vulnerable endpoints:

   GET /api/v1/repos/victim-org/private-repo/issue_templates HTTP/1.1
   Host: TARGET
   Authorization: token <your_token>

4. Receive Code-tree content: The server responds with 200 OK and returns the parsed contents of .gitea/ISSUE_TEMPLATE/* files as JSON, despite the caller lacking Code unit permissions.
5. Repeat for issue config: Optionally query /api/v1/repos/victim-org/private-repo/issue_config or /issue_config/validate to retrieve issue_config.yaml contents (GitHub Advisory, Gitea Security Advisory).

• Network: Unexpected API requests to /api/v1/repos/{owner}/{repo}/issue_templates, /api/v1/repos/{owner}/{repo}/issue_config, or /api/v1/repos/{owner}/{repo}/issue_config/validate from users or tokens not expected to access Code-tree content.
• Logs: Gitea access logs showing 200 OK responses to the above endpoints for tokens associated with accounts that have only non-Code unit permissions (e.g., Issues-only team members).
• Logs: Repeated or automated queries to these three endpoints in short succession, potentially indicating enumeration of multiple repositories.

Upgrade Gitea to version 1.26.2 or later, which adds the reqRepoReader(unit.TypeCode) middleware to the three affected route registrations, aligning them with all other Code-tree endpoints in the same route group. No configuration-based workaround is available for unpatched versions; the fix must be applied at the code level. Organizations should also audit team permission assignments to ensure the principle of least privilege is enforced, particularly for private repositories containing sensitive issue templates (GitHub Advisory, Gitea Security Advisory).

The vulnerability was reported by researcher hoangperry and published by Gitea maintainer lunny on June 5, 2026, with the advisory formally published to the GitHub Advisory Database on June 16, 2026. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (GitHub Advisory).